Monday, July 6, 2026

News

JADEPUFFER: First Fully Autonomous AI Agent Carries Out a Ransomware Attack

ResearchPatryk RabaJuly 6, 2026

Researchers at Sysdig documented JADEPUFFER, a ransomware operation in which an autonomous AI agent carried out the entire attack, from initial breach to database encryption, without human involvement at any stage.

Contents
  1. Fixing bugs at machine speed
  2. Traces it didn't need to leave
  3. Victim cannot recover data even after paying
  4. What this means for defense

The Sysdig Threat Research Team has documented JADEPUFFER, the first recorded case of a fully autonomous ransomware attack carried out by an artificial intelligence agent. Instead of a human operating hacking tools, the entire chain of actions, from the initial breach through credential theft to database encryption, was executed independently by an AI system that reacted to obstacles in real time.

The point of entry was an internet-facing Langflow server vulnerable to CVE-2025-3248, a flaw that lets an unauthenticated attacker execute arbitrary Python code on the host through a code-validation endpoint. From that moment on, the agent operated without operator oversight, conducting host reconnaissance, enumerating processes and network interfaces, and then simultaneously attempting to steal credentials for language model providers including OpenAI, Anthropic, DeepSeek and Gemini, as well as for cloud platforms AWS, GCP, Azure, and the Chinese providers Alibaba, Aliyun, Tencent and Huawei.

Fixing bugs at machine speed

The most unsettling element of the report is the agent's ability to diagnose and fix errors at a pace no human could match. When a login attempt failed at 19:34:36 UTC, the system sent a corrected payload just 31 seconds later, at 19:35:07, and the login succeeded eleven seconds after that. Similar behavior appeared when the MinIO object storage returned data in XML format instead of the expected JSON: the next payload immediately rewrote the parser, and when a DROP DATABASE command failed due to foreign key constraints, the following command automatically disabled those checks.

An AI agent can combine reconnaissance, credential theft, lateral movement, persistence and data destruction without the operator needing deep knowledge of any of these stages - Michael Clark, Director of Threat Research, Sysdig Threat Research Team

Traces it didn't need to leave

The researchers point to a paradox in this operation: while carrying out its tasks, the AI agent described its own intentions in the code through natural-language comments, explaining why it was taking particular actions, including how it prioritized targets by return on investment. This self-narration, unheard of in hand-written hacking tools, gives defenders a new chance to detect and analyze an attack while it is still in progress.

Sysdig points to four independent pieces of evidence that the operation was fully driven by a language model: code saturated with comments explaining motivation, a pace of bug diagnosis unattainable by a human, an understanding of context in free-text system messages, and the use of a Bitcoin address identical to the example given in the platform's own official documentation, suggesting the model may have hallucinated the data used in the ransom note.

Victim cannot recover data even after paying

The attack's ultimate target was a production database server, where the agent encrypted 1,342 configuration items belonging to the Nacos service using MySQL's AES_ENCRYPT function, dropped the config_info and his_config_info tables along with their history, and hit eight other high-value databases. It left behind a README_RANSOM table containing a ransom demand and a Bitcoin address. However, the encryption key was generated as a random byte string that was never written to disk or transmitted to the attacker, meaning that even paying the ransom would not let the victim recover the data.

What this means for defense

Sysdig stresses that ransomware is ceasing to be a craft that requires high technical skill. An AI agent can independently work through the entire attack chain, from vulnerability scanning to data destruction, without an operator possessing deep knowledge at any stage. That means criminals can now scan the entire historical catalog of known security flaws at essentially no cost, delegating the whole job to an agent.

For companies using open tools such as Langflow or similar AI agent-building platforms, the report is a signal that patching known vulnerabilities and limiting the exposure of internet-facing services is more urgent than ever, since an attack from breach to data destruction can now run fully automatically and without human oversight on the attacker's side.

Sources: Sysdig (sysdig.com), BleepingComputer (bleepingcomputer.com), spidersweb.pl (spidersweb.pl)

Share: