News
JadePuffer Ransomware Attack Carried Out by AI Agent With No Human Involvement
Sysdig researchers documented the first fully autonomous ransomware attack, in which an AI agent independently breached a network, exfiltrated data, and encrypted databases without a human at the keyboard.
Contents
Researchers at security firm Sysdig have described a ransomware operation called JadePuffer in which an agent built on a large language model carried out the entire attack chain on its own, from initial intrusion through data encryption to the ransom demand. It is the first documented case of a fully automated ransomware attack with no human supervising the individual steps in real time.
The entry point was a vulnerability in Langflow, a popular open-source tool for building applications on top of language models. CVE-2025-3248 allows unauthenticated remote code execution through a code-validation endpoint. The agent exploited this flaw to gain initial access to the victim's system, then planned the operation's subsequent steps entirely on its own.
How the agent operated
Once inside, the agent conducted reconnaissance, dumped PostgreSQL databases, searched through MinIO storage resources, and established persistence via cron jobs. Using the stolen credentials, it then moved laterally to a MySQL server running Alibaba Nacos, where it exploited CVE-2021-29441, an authentication-bypass vulnerability.
The most unsettling part of the operation was the agent's adaptive behavior. According to Sysdig's researchers, the AI responded to failures the way an experienced human operator running an attack by hand would, adjusting parameters and retrying in real time.
The operation adapted in real time, retrying failed steps with refined parameters. In one sequence, the agent went from a failed login to a working fix in 31 seconds - Sysdig Threat Research Team
A second-by-second timeline
Researchers reconstructed the exact sequence of one stage of the attack from the logs. A failed login to the Nacos backdoor occurred at 19:34:36 UTC, the agent diagnosed the cause at 19:34:48 UTC, sent a corrected payload at 19:35:07 UTC, and a successful login was logged at 19:35:18 UTC. The entire error correction, from detection to fix, took less than a minute and happened without any human intervention.
The agent ultimately encrypted 1,342 configuration items belonging to the Nacos service using MySQL's built-in AES_ENCRYPT function, then deleted the original versions of the data, making recovery impossible without paying the ransom. Over the course of the operation, the agent carried out more than 600 distinct, deliberately planned actions.
A new category of threat
Security researchers are now describing the emergence of a category known as agentic threat actors, attackers built around autonomous AI agents. Analysts say this lowers the barrier to entry for criminals, who no longer need advanced technical skills to run a multi-stage attack against a company's infrastructure.
At the same time, experts note that payloads generated by language models carry distinctive traits, such as natural-language comments, justifications for each step, and a reasoning-like prioritization of goals, rather than code typical of human operators. That could make this kind of attack easier for security systems to detect in the future.
Implications for businesses in Poland
For Polish IT security teams, the signal is clear: popular AI application-building tools like Langflow and configuration-management systems like Nacos are becoming real targets for attacks automated by AI agents, not just human criminal crews. Companies using open-source LLM frameworks should stay on top of updates and patch known vulnerabilities, since an AI agent can exploit a flaw disclosed even several years earlier, as was the case with CVE-2021-29441 from 2021.
The JadePuffer case also shows that the line between red-team security testing and real criminal attacks carried out with AI agents is blurring. Tools meant to help developers automate their work are, in the hands of criminals, also automating break-ins.
Sources: JadePuffer: Agentic ransomware for automated database extortion (sysdig.com), JadePuffer ransomware used AI agent to automate entire attack (bleepingcomputer.com)

