1,000+ Exposed ComfyUI Servers Hijacked for Cryptomining and Proxy Botnet | Threat Intel
Attackers are exploiting ComfyUI's custom node ecosystem to deploy fileless XMRig and lolMiner payloads on exposed AI image generation servers, building a cent…
Published on MyPrivateClaw
Apr 8, 2026, 8:58 AM UTC
Coverage date
Apr 8, 2026
Last updated
Apr 8, 2026, 12:59 PM UTC
News summary
AI GPU Farms as Cryptomining Infrastructure A sophisticated threat actor is actively hijacking internet exposed ComfyUI servers, exploiting the platform's custom node ecosystem to deploy fileless cryptominers and stealthy proxy botnets. The campaign, first identified on a known bulletproof hosting provider, has compromised over 1,000 publicly accessible ComfyUI instances — primarily high end cloud GPU instances on AWS, GCP, and Oracle Cloud. The attack is particularly relevant to the local AI community because ComfyUI is one of the most widely used open source interfaces for running Stable Diffusion and other image generation models locally. Operators who expose their ComfyUI instances to the internet without authentication are directly in the crosshairs. The Attack Chain The threat actor operates a continuous scanning pipeline across major cloud providers, identifying exposed ComfyUI i…