.png&w=1920&q=75)
JADEPUFFER: The First Fully Autonomous AI Ransomware Attack Has Arrived
Sysdig's Threat Research Team has documented what it assesses to be the first ransomware operation driven end-to-end by a large language model. The AI agent — dubbed JADEPUFFER — exploited a known vulnerability in Langflow, an open-source AI workflow framework, then autonomously completed reconnaissance, credential theft, lateral movement, privilege escalation, and database encryption with no human at the keyboard. More than 600 coordinated payloads were executed. The victim's 1,342 Nacos database configuration records were encrypted and deleted.
The day an AI agent carried out a real-world ransomware attack — from first foothold to extortion note — has now been documented.
What JADEPUFFER Actually Did
According to Sysdig's primary research report, the attack unfolded in two phases across two separate targets.
Phase one: gaining initial access. JADEPUFFER exploited CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow's code validation endpoint that allows anyone with network access to run arbitrary Python on the host — no login required. The vulnerability was patched by the vendor in April 2025 and added to CISA's Known Exploited Vulnerabilities catalog in May of the same year. Langflow servers remain widely exposed on the internet, often deployed with minimal hardening and frequently holding cloud credentials, AI provider API keys, and other sensitive configuration data — making them high-value initial access targets.
Once inside the Langflow server, the AI agent began full reconnaissance: enumerating host information, scanning environment variables and configuration files, harvesting credentials. It accessed a MinIO object storage server using the factory-default credentials (minioadmin:minioadmin, never changed), systematically extracting files with credential-suggestive names. It then installed a cron job to send a heartbeat to attacker infrastructure every 30 minutes — establishing persistence before moving on.
Phase two: the real target. The Langflow server was never the point. JADEPUFFER pivoted to its true objective: a separate internet-exposed production server running MySQL and Alibaba's Nacos configuration service. The agent attacked Nacos through multiple simultaneous vectors — exploiting CVE-2021-29441 (a 2021 authentication bypass), forging valid JWTs using Nacos's well-known default signing key (publicly documented since 2020 and shipped unchanged in many deployments), and injecting a backdoor administrator account directly into the Nacos backing database.
The agent then encrypted 1,342 Nacos service configuration items, deleted the original tables, and left a ransom note. The critical irony: the AES encryption key was randomly generated, never persisted, and never transmitted. Even if the victim paid the ransom, data recovery would be impossible.
What Alarmed Researchers Most Wasn't the Techniques — It Was the Behavior
BleepingComputer and The Hacker News both emphasized that none of JADEPUFFER's individual attack techniques were novel. What distinguished the operation was something harder to quantify:
First: the payloads narrated themselves. JADEPUFFER's generated code contained natural language reasoning, target prioritization logic, and detailed annotations — the kind of commentary human attackers almost never write, but that LLM-generated code produces reflexively. This self-narration became the primary forensic evidence that the operation was LLM-driven.
Second: real-time self-correction. When an initial MinIO API request returned XML instead of expected JSON, the agent immediately adjusted its parser and reissued the request — without pausing for human input. When a Nacos administrator account creation attempt failed, the agent diagnosed the failure and generated a corrected payload in 31 seconds. The operation adapted continuously, throughout the entire attack chain.
An Important Qualifier: Not Quite "Fully" Autonomous
TechCrunch added a critical nuance to the coverage: while the AI agent handled all technical execution, a human was still involved in key decisions — selecting the victim, setting up the infrastructure, and supplying the initial stolen credentials. This wasn't AI crime from a standing start. It was a new division of labor: human sets the direction, AI handles every step of execution.
That distinction matters for the security community. It defines the current real boundary of autonomous AI attack capability — and points directly at where defensive focus should land.
The Skill Floor for Ransomware Has Permanently Dropped
Dark Reading cited security researcher Johan Edholm's framing: JADEPUFFER is "more evolution than invention." Exploiting an exposed service, harvesting credentials, moving laterally, abusing default configurations, destroying databases — these are all familiar techniques. What's new is that an AI agent strung them into a complete, adaptive ransomware operation without any operator expertise in any individual step.
Sysdig's conclusion is direct: ransomware no longer requires skilled practitioners. An LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction — and if that agent runs on stolen credentials through LLMjacking, the cost to the attacker approaches zero.
Edholm's prediction for what comes next is the part enterprises should track closely: the earliest adopters of agentic ransomware will be actors who already know how to connect models to offensive tools and infrastructure. "As that tooling becomes packaged and reusable, it will spread to less capable operators. Criminal groups also tend to adopt new technology quickly because they are not constrained by procurement processes, compliance requirements, or other organisational bureaucracy."
Infosecurity Magazine points out that JADEPUFFER also creates new detection opportunities: LLM-generated payloads carry distinctive self-narrating patterns and behavioral signatures that differ measurably from human-authored code or fixed-toolkit malware. Behavioral detection tuned to these signals could catch future agentic campaigns earlier in the kill chain.
For enterprise security teams, CISA and Sysdig's immediate recommended actions are clear: patch Langflow and never expose its code-execution endpoints to the internet; store API keys and cloud credentials in a proper secrets manager, isolated from AI tool environments; change Nacos's default JWT signing key; never connect production databases with root-level credentials; and implement outbound traffic restrictions on any host that could be an initial access point.
Sources: Sysdig TRT / TechCrunch / BleepingComputer / Dark Reading
Related Articles

Anthropic in Early Talks With Samsung to Build a Custom AI Chip on 2nm Process
Anthropic has entered early-stage discussions with Samsung Electronics to manufacture its first custom AI chip, targeting Samsung's advanced 2-nanometer foundry process and packaging facilities. First reported by The Information and confirmed by TechCrunch, the talks remain exploratory — the chip's intended use, performance specs, and server integration are all still undecided. The move comes one week after OpenAI unveiled its custom Jalapeño inference chip with Broadcom, and signals that the race for hardware independence among frontier AI labs has moved from a strategic option to an active engineering effort.
Read MoreTRAE Writes 90% of Its Code With AI. ByteDance's VP Revealed Why That's a Problem
AI coding tools can multiply code output without delivering proportional business value. This article examines ByteDance’s 90/60 signal and explains why context engineering, architectural constraints, governance, and workflow integration determine whether AI-generated code can reach production.
Read More
OpenAI Launches Patch the Planet to Pay Down Open Source's Security Debt
OpenAI, alongside security firm Trail of Bits, vulnerability coordination platform HackerOne, and Calif, launched Patch the Planet on June 22 — an open-source security initiative pairing GPT-5.5-Cyber and Codex Security's AI-assisted vulnerability research with mandatory human expert review before any finding ever reaches a maintainer. The first five-day sprint covered 19 projects, surfaced hundreds of findings, and merged 37 patches. More than 30 critical open-source projects have now joined.
Read More