Vive La Vulnérabilité: French Kubernetes Cluster Hunts Your Webhook Endpoints

Between Jan 27 and Feb 3, 2026, GreyNoise observed a coordinated, high-volume scanning campaign (33,270 HTTP requests) originating from AS211590 (185.177.72.0/24) hosted on a Kubernetes cluster with Envoy service mesh; the activity focused on webhook file-upload and document-processing endpoints and specifically probed n8n for CVE-2026-21858 path-traversal/arbitrary file access, with detailed IoCs, temporal patterns, and mitigation recommendations included.