News
JADEPUFFER Ransomware: First Attack Carried Out Entirely by an AI Agent

Sysdig described an attack in which an autonomous large language model agent carried out the entire intrusion chain, from exploiting a Langflow vulnerability to encrypting a database and issuing a ransom demand, without human involvement at any stage.
Contents
Sysdig's research team disclosed details of an operation codenamed JADEPUFFER, which it describes as the first documented case of ransomware carried out from start to finish by an artificial intelligence agent. From reconnaissance through credential theft and lateral movement across the network, to encrypting a database and posting a ransom note, every step was carried out by an autonomous system built on a large language model.
How the Attack Unfolded
The entry point was a publicly accessible instance of Langflow, a popular tool for building AI workflows, vulnerable to CVE-2025-3248. The agent exploited it to achieve remote code execution, then carried out host reconnaissance, checking users, processes and network interfaces, before scanning environment variables and configuration files for API keys to services such as OpenAI, Anthropic and Gemini, credentials for AWS, GCP and Azure cloud accounts, and cryptocurrency wallets.
Using the stolen credentials, the agent moved laterally, reaching a production server running a MySQL database and Alibaba's Nacos service. There it exploited a flaw, known since 2020, in the default JWT token signing key, which let it forge an administrator identity and inject its own backdoor. The entire sequence, from initial access to full control of the database, unfolded without any human intervention.
Evidence of AI Autonomy
Sysdig's researchers note that the attack code itself gave away its origin. The payloads contained descriptive, natural-language comments explaining why a given target was chosen or estimating the value of the stolen data. One code fragment described the database as a priority for encryption because its contents had already been copied to the attacker's server.
This is the first documented case of agent-driven ransomware: a complete extortion operation carried out from start to finish by a large language model. - Sysdig Threat Research Team
The most telling evidence concerns the speed of the response to a setback. When a login attempt on the administrator account failed at 19:34:36 UTC, the agent analyzed the cause of the error and deployed a corrected, multi-step workaround within 31 seconds. That speed of adaptation is characteristic of a system generating and testing code in real time, not of a human typing commands by hand.
Ransom With No Way to Recover
After encrypting 1,342 configuration entries in the Nacos service, the agent deleted the originals and left behind a ransom note claiming the use of AES-256 encryption. In reality, the weaker AES-128 variant was used, and the key was generated as a random byte string that was only printed to the screen while the script ran, never written to disk or sent to the attacker's infrastructure. That means recovering the data would be impossible even if the victim paid the ransom. The Bitcoin wallet address listed in the note turned out to be a sample address taken straight from the official Bitcoin documentation, suggesting the attacker had not even set up real infrastructure to collect payments.
The barrier to entry for running ransomware attacks has dropped to the cost of running an agent, and if that agent is operating on stolen credentials, the cost to the attacker is close to zero. - Sysdig Threat Research Team
What It Means for the Industry
For companies using AI agent-building tools like Langflow, JADEPUFFER is a warning that publicly exposed instances of such systems have become real attack targets, and that vulnerabilities in them are being exploited faster than before. Sysdig points out that the rise of LLMjacking, the use of stolen API keys for language models, is pushing the cost of launching a fully autonomous attack close to zero.
For Polish companies deploying agentic AI solutions in production environments, this means these tools need to be treated like any other publicly exposed infrastructure, with regular patching, restricted access and monitoring for unusual activity. JADEPUFFER shows that an attack can go from breach to full extortion within tens of minutes, with no stage at which a human could step in and stop the operation.
Sources: Sysdig Threat Research Team analysis (sysdig.com), BleepingComputer (bleepingcomputer.com), Security Affairs (securityaffairs.com).
