ComfyUI breach wave targets AI servers

Hackers are exploiting internet-exposed ComfyUI servers in a monetisation campaign that turns poorly secured AI image-generation systems into cryptocurrency mining machines and proxy infrastructure, according to multiple security findings published this week. Researchers say more than 1,000 exposed ComfyUI instances remain reachable online after honeypots are filtered out, giving attackers a narrow but valuable pool of GPU-equipped targets spread across cloud environments.

The activity centres on unauthenticated ComfyUI deployments and the platform’s custom node ecosystem, which lets users add third-party extensions to expand functions. Security researchers say attackers are scanning cloud IP ranges for exposed servers, checking whether ComfyUI-Manager is installed and then abusing node-installation or code-execution paths to run malicious payloads. Once access is established, infected hosts are being used to mine Monero through XMRig and Conflux through lolMiner, while also being enrolled into a Hysteria v2-based proxy botnet managed from a Flask-driven command system.

Censys said it tracked the campaign back to March 12, when it identified a suspicious open directory on infrastructure tied to a bulletproof hosting provider. Over the following days, the toolset in that directory grew quickly, suggesting active development and operational scaling rather than a one-off intrusion. Researchers described a purpose-built Python scanner that continuously sweeps major cloud providers for vulnerable ComfyUI systems and automatically installs malicious nodes when no exploitable node is already present.

That level of automation matters because ComfyUI has become popular among developers, hobbyists and small operators running image-generation workloads on rented GPU servers. Many of those setups are created for speed and experimentation rather than hardened production security. Official ComfyUI documentation actively encourages the use of custom nodes and recommends ComfyUI-Manager as a standard way to search for, install and maintain them, which has helped build a rich extension ecosystem but also widened the attack surface when servers are left open to the internet without proper controls.

The current campaign also appears to build on earlier warnings around ComfyUI’s extension chain. In December 2024, security research showed that flaws in custom nodes could lead to full server compromise. Then, in March 2025, Doyensec disclosed a critical remote-code-execution issue in ComfyUI Manager before version 3.31, tracked as CVE-2025-45076, saying an unauthenticated attacker could bypass default protections and install a malicious custom node capable of executing commands on the host. That advisory did not describe the same campaign now under way, but it established that the software stack had already attracted serious scrutiny from offensive researchers.

Researchers tracking the April 2026 intrusions say the attackers are not merely dropping a miner and moving on. The malware labelled ghost. sh was described as using fileless execution, process masquerading, an LD_PRELOAD rootkit and multiple persistence methods to survive both reboots and attempts to remove the miner. Censys said version 8.2 of the scanner introduced two further reinfection mechanisms, including a disguised “GPU Performance Monitor” node that pulls the payload again every six hours and a poisoned default start-up workflow. That suggests operators are treating compromised ComfyUI systems as durable assets rather than opportunistic short-term infections.

The economics are straightforward. AI image-generation servers tend to have stronger graphics hardware than ordinary web servers, making them attractive for illicit mining. At the same time, a proxy botnet built from GPU hosts in commercial cloud ranges can be resold for traffic relay, evasion or abuse operations. Security reporting on broader cybercrime infrastructure has shown sustained demand for proxy networks, especially as criminal groups look for cleaner, more reputable IP space from which to route operations. In that context, ComfyUI becomes less a niche target than a specialised gateway into expensive compute and useful network positioning.

The campaign also underlines a wider problem in the fast-growing market for AI tooling: convenience often outruns security discipline. Open-source AI frameworks thrive because communities can add plugins rapidly, share workflows and deploy systems with minimal friction. Yet the same openness can create weak points when administrators expose dashboards publicly, skip authentication, run outdated components or trust unvetted extensions. The tension is not unique to ComfyUI, but the present case shows how quickly attackers will industrialise an exploit path once a cluster of internet-facing AI servers becomes visible.