Skip to content

Langflow CVE-2026-33017 cryptominer SSH worm

Summary

Trend Micro reported active exploitation of CVE-2026-33017, an unauthenticated Langflow code-execution path, to deploy a Linux cryptomining toolchain. The campaign turns exposed AI application infrastructure into a commodity-miner foothold: a single Python os.system() primitive downloads a shell script, stages a Go binary named lambsys, launches a customized XMRig miner, and attempts lateral movement through reused SSH keys.

Treat this as more than a noisy Monero miner. Trend Micro observed defense-evasion, rival-miner eviction, cron and loop-watchdog persistence, C2 heartbeating, and SSH key / known_hosts enumeration. If Langflow runs on CI/CD, developer, or automation infrastructure, one exposed instance can become an SSH-key exposure and downstream-host scoping problem.

Tags

Why this matters

  • AI workflow tools are increasingly deployed like internal developer utilities, but exposed unauthenticated endpoints can become internet-facing initial access.
  • The initial payload is ordinary curl ... | sh, so static controls that look for Langflow-specific malware will miss the broader pattern.
  • The malware's SSH-spread stage means incident scope depends on the service account: a low-privilege Langflow account might reach nothing, while a CI runner or developer workstation account might reach many production hosts.
  • Trend Micro ties the toolchain to older commodity miner tradecraft such as KORKERDS / MALXMR-style rival-account eviction, but describes new engineering in the Go rewrite, init_rmount, /var/tmp/.xlamb/, and updated C2 protocol.

Reported chain

Initial access

  • Trend Micro says exploitation targets Langflow's unauthenticated POST /api/v1/build_public_tmp/{flow_id}/flow endpoint.
  • The observed payload used Python's __import__('os').system(...) to execute a shell command inside the Langflow process.
  • The command downloaded isp.sh from 83[.]142[.]209[.]214:8080 and piped it to sh.
  • Trend Micro observed reuse of a hardcoded flow_id value, 0ee284cc-0eb1-493f-bc60-94fa8d1cfd18, across exploit attempts.

Dropper and lateral movement

  • isp.sh checks whether lambsys is already running, creates /var/tmp/.xlamb/, downloads the lambsys binary, launches it detached, and then attempts spread.
  • The SSH-spread logic enumerates id_rsa, id_ed25519, and id_dsa keys under ~/.ssh/, parses known_hosts, and queries SSH_AUTH_SOCK / ssh-add -l for loaded key context.
  • Trend Micro observed both pull and push paths: SSH to a target and download lambsys from C2, or SCP the local copy and execute it remotely.
  • SSH options included BatchMode=yes, ConnectTimeout=5, and StrictHostKeyChecking=no, reducing prompts that would otherwise stop the worm stage.

Runtime behavior

  • lambsys kills rival miners by process name and by active connections to mining-pool ports such as 3333, 4444, 5555, 6666, 7777, 3347, 14444, 14433, 56415, 9999, 13531, and 3380.
  • It deletes backdoor usernames akay and vfinder, an overlap Trend Micro associates with older KORKERDS / MALXMR cryptominer playbooks.
  • It raises the file-descriptor limit with ulimit -n 65535, disables or weakens controls such as the NMI watchdog, and strips immutable / append-only attributes from locations used by miner persistence.
  • It writes a cron watchdog that checks for lambsys every five minutes and can relaunch or redownload the binary.
  • It also starts an init_rmount bash loop that checks roughly every 60 seconds, redownloads missing payloads, and locks /tmp and /var/tmp with chattr +iua after deployment.
  • It downloads ks.tar, verifies the MD5 46096a72d84db5f1dafd944fcf6571c8, extracts a customized XMRig miner named procq, and connects to a mining pool over TCP/3333.
  • The C2 heartbeat uses JSON POSTs to 83[.]142[.]209[.]214:80/status.php about every 128 seconds, with fields such as downloading, running, and timestamp.

Defender heuristics

  • Inventory Langflow instances and confirm they are not publicly exposed; put Langflow behind authentication, VPN/ZTNA, or allow-listed management networks.
  • Upgrade Langflow according to vendor guidance; Trend Micro recommends version 1.9.0 or later and references a development fix that prevents public flows from accepting attacker-controlled data.
  • Review reverse-proxy and Langflow logs for POST /api/v1/build_public_tmp/, the hardcoded flow_id, python-requests/2.25.1, __import__('os').system, and curl ... | sh payloads.
  • Treat lambsys, /var/tmp/.xlamb/, /var/tmp/check_process.log, init_rmount, procq, and suspicious /var/spool/cron/crontabs/tmp.* artifacts as compromise pivots.
  • Hunt for chattr changes against /tmp, /var/tmp, /var/spool/cron, /etc/crontab, /etc/ld.so.preload, and ~/.ssh/authorized_keys.
  • Scope SSH exposure: identify the user running Langflow, enumerate keys and agent sockets it could access, review reachable hosts from known_hosts, and rotate keys if compromise is suspected.
  • Look for lambsys or SSH child processes spawned by Langflow, unexpected SCP/SSH fan-out, and outbound traffic to 83[.]142[.]209[.]214 on ports 80 and 8080.
  • For cleanup, remove persistence only after preserving evidence; check for immutable flags before deleting artifacts, then verify cron, SSH authorized keys, /tmp, /var/tmp, and miner processes across potentially reached hosts.

Attribution notes

  • Trend Micro frames the activity as commodity cryptominer operations targeting exposed AI application infrastructure, not as a named espionage or ransomware actor.
  • The KORKERDS / MALXMR overlap is a lineage hypothesis around reused techniques such as akay / vfinder eviction and SSH known_hosts worming; it is not proof of the same operator.

Sources

  • Trend Micro Research: https://www.trendmicro.com/en_us/research/26/f/from-langflow-to-monero-inside-cve-2026-33017-cryptominer.html