What happened
Attacker sends a single unauthenticated HTTP request to a Langflow API endpoint that evaluates Python code. The request contains one line of Python that fetches a remote shell script, which downloads the lambsys miner binary via curl or wget, launches it as a detached process, and initiates SSH-based lateral movement to connected hosts.