A cryptocurrency-mining campaign is actively exploiting CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow, to deploy the lambsys malware. The attack chain involves a bash dropper that establishes SSH-based lateral movement, followed by a Go-based payload that systematically disables Linux security controls, eliminates rival miners, and deploys a customized XMRig miner.