On July 1, 2026, Sysdig’s Threat Research Team published findings on what it assessed as the first fully autonomous ransomware operation run end-to-end by an AI agent. The operator, named JADEPUFFER, used a large language model to break into a system, steal credentials, move through a network, encrypt a production database, and destroy data — with no human guiding each step. The entry point was CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source framework for building AI workflows. The flaw was already fixed in Langflow 1.3.0 and added to CISA’s Known Exploited Vulnerabilities catalog on May 5, 2025 — over a year before this attack. Many servers were simply never updated.
The attack did not use any new or sophisticated techniques. It used old, unpatched software, default credentials that were never changed, and cloud secrets stored in the wrong places. What changed was the attacker — an AI agent that could write, debug, and run its own code at machine speed, recovering from a login error in 31 seconds and executing over 600 distinct payloads across the full operation. Shane Barney, CISO at Keeper Security, put it plainly: “Every entry point JADEPUFFER exploited traces back to a failure of credential governance: secrets stored where they should not be, default credentials left unchanged and privileged accounts left open with no time-bound or scope-limited controls in place.” This fits within a broader pattern of AI tools being used in offensive operations, including previously documented misuse of AI tools by bad actors — and raises questions tied to ongoing debates around AI access controls and governance.
executed
login error
encrypted
CVE-2025-3248
The clearest proof that a language model was driving the attack was in the payloads themselves. Human attackers writing throwaway exploit code rarely explain their own reasoning in comments. JADEPUFFER’s scripts did — with step-by-step natural language annotations describing why each target was chosen, what the agent was doing, and what it expected to happen next. Michael Clark, Director of Threat Research at Sysdig, described this in the Sysdig research blog: the payloads “contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively.” Keeper Security’s own research found that 72% of organizations cannot detect credential misuse in real time, with most identifying unauthorized privileged access within hours rather than minutes — a window an AI agent can close in seconds.
The Nacos server used in the second stage had two long-standing weaknesses: CVE-2021-29441, a 2021 authentication bypass that works by spoofing the Nacos-Server User-Agent header, and a default JWT signing key that has been publicly documented since 2020 and ships unchanged in many deployments. The MySQL root credentials used to access the production database were not observed being taken from the victim’s Langflow environment — Sysdig confirmed their origin is unknown. Related government reporting on device and credential security gaps addressed similar themes during the same period. The fast pace of AI model development and deployment adds further context to why infrastructure built around AI tools is increasingly a target.
minioadmin:minioadmin, from which a credentials.json file containing an access-key pair is retrieved. Staging files are deleted afterwards to remove traces.import bcrypt directly rather than via subprocess. The bad account is deleted, the hash regenerated correctly, the account recreated, and login confirmed at 19:35:18. The entire correction cycle ran in 42 seconds from failure to success — 31 seconds from failure to corrective payload.AES_ENCRYPT(). The original config and history tables are dropped. A README_RANSOM table is created with a Bitcoin address and Proton Mail contact. The encryption key is generated from two concatenated UUID4 values, printed once to stdout, and never stored or transmitted. Payment cannot restore the data. The ransom note claims AES-256; MySQL’s AES_ENCRYPT() defaults to AES-128-ECB.DROP DATABASE fails due to a cross-database foreign key constraint, the next payload adds SET GLOBAL FOREIGN_KEY_CHECKS=0 before the command. Code comments inside the payloads name databases as “high-ROI targets to drop” and claim data has been backed up to a staging IP. Sysdig found no evidence any backup was made.token.secret.key has been publicly documented since 2020. Upgrade to a release that enforces a custom key. Never expose Nacos directly to the public internet.minioadmin:minioadmin was still active. Audit all self-hosted storage, configuration, and service-discovery instances for unchanged factory defaults.The JADEPUFFER operation, as documented by Sysdig on July 1, 2026, covered a complete ransomware cycle — initial access via CVE-2025-3248 in Langflow, credential harvesting across seven categories, lateral movement to a MySQL and Nacos production server using CVE-2021-29441 and a forged JWT, encryption of 1,342 configuration items, and mass schema deletion. The report also covered the operation’s documented limits: no confirmed data exfiltration, an encryption key that was generated and discarded, and a Bitcoin ransom address drawn from developer documentation whose exact origin Sysdig could not determine. Related coverage of the evolving technology infrastructure landscape and AI tool access and export controls has been published separately. Full indicators of compromise are available in the Sysdig Threat Research Team’s original report.






