AI Agent JADEPUFFER Ran Full Ransomware Attack Alone — Fixed Its Own Error in 31 Seconds, Encrypted 1,342 Records 

GigaNectar Team

A stylized illustration of a hooded hacker figure sitting at a computer, representing the archetypal image of a cyber attacker.

On July 1, 2026, Sysdig’s Threat Research Team published findings on what it assessed as the first fully autonomous ransomware operation run end-to-end by an AI agent. The operator, named JADEPUFFER, used a large language model to break into a system, steal credentials, move through a network, encrypt a production database, and destroy data — with no human guiding each step. The entry point was CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source framework for building AI workflows. The flaw was already fixed in Langflow 1.3.0 and added to CISA’s Known Exploited Vulnerabilities catalog on May 5, 2025 — over a year before this attack. Many servers were simply never updated.

The attack did not use any new or sophisticated techniques. It used old, unpatched software, default credentials that were never changed, and cloud secrets stored in the wrong places. What changed was the attacker — an AI agent that could write, debug, and run its own code at machine speed, recovering from a login error in 31 seconds and executing over 600 distinct payloads across the full operation. Shane Barney, CISO at Keeper Security, put it plainly: “Every entry point JADEPUFFER exploited traces back to a failure of credential governance: secrets stored where they should not be, default credentials left unchanged and privileged accounts left open with no time-bound or scope-limited controls in place.” This fits within a broader pattern of AI tools being used in offensive operations, including previously documented misuse of AI tools by bad actors — and raises questions tied to ongoing debates around AI access controls and governance.

600+
AI payloads
executed
31s
Self-fix
login error
1,342
Configs
encrypted
9.8
CVSS score
CVE-2025-3248
Interactive Attack Chain — Click each phase to step through the operation
How JADEPUFFER Moved: Six Phases, Zero Humans
JADEPUFFER — Attack Chain Viewer — Source: Sysdig TRT · July 1 2026
01Entry
02Recon
03Lateral
04Persist
05Ransom
06Destroy

The clearest proof that a language model was driving the attack was in the payloads themselves. Human attackers writing throwaway exploit code rarely explain their own reasoning in comments. JADEPUFFER’s scripts did — with step-by-step natural language annotations describing why each target was chosen, what the agent was doing, and what it expected to happen next. Michael Clark, Director of Threat Research at Sysdig, described this in the Sysdig research blog: the payloads “contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively.” Keeper Security’s own research found that 72% of organizations cannot detect credential misuse in real time, with most identifying unauthorized privileged access within hours rather than minutes — a window an AI agent can close in seconds.

The Nacos server used in the second stage had two long-standing weaknesses: CVE-2021-29441, a 2021 authentication bypass that works by spoofing the Nacos-Server User-Agent header, and a default JWT signing key that has been publicly documented since 2020 and ships unchanged in many deployments. The MySQL root credentials used to access the production database were not observed being taken from the victim’s Langflow environment — Sysdig confirmed their origin is unknown. Related government reporting on device and credential security gaps addressed similar themes during the same period. The fast pace of AI model development and deployment adds further context to why infrastructure built around AI tools is increasingly a target.

“The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero.”
Michael Clark, Director of Threat Research, Sysdig — Sysdig TRT Blog, July 1 2026
What was targeted — Click each category
The Credential Sweep: Seven Categories, One Pass
Secrets Harvested from the Langflow Host
All collected after initial access via CVE-2025-3248 · select each category below
🤖
AI Service Keys
4 providers
☁️
Cloud Credentials
7 providers
💰
Crypto Wallets
Seed phrases
🗄️
Database Logins
Postgres + MinIO
📄
Config Files
.env, credentials.json
📦
MinIO Storage
Default login used

Machine speed — Key timestamps from the operation
31 Seconds from Error to Fix: The Attack Sequence
T0
Entry — CVE-2025-3248 exploited
Langflow RCE via missing authentication
JADEPUFFER targets an internet-facing Langflow server. The code validation endpoint requires no authentication, allowing the agent to execute Base64-encoded Python payloads directly. The flaw was patched in Langflow 1.3.0 and added to CISA’s KEV catalog on May 5, 2025.
+m
Minutes after entry
Full credential sweep and MinIO looted on default login
The agent maps the machine and sweeps for AI service keys (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials covering Alibaba, Aliyun, Tencent, Huawei, AWS, Google Cloud, and Azure, cryptocurrency wallets and seed phrases, and database logins. Langflow’s Postgres database is dumped. MinIO object storage is accessed using the unchanged factory-default login minioadmin:minioadmin, from which a credentials.json file containing an access-key pair is retrieved. Staging files are deleted afterwards to remove traces.
19:34
19:34:24 UTC
Nacos backdoor account — first attempt fails
The agent pivots to the production MySQL and Nacos server. It uses root MySQL credentials — whose origin Sysdig could not determine, as they were not observed being taken from the victim’s environment. It attacks Nacos via CVE-2021-29441 (User-Agent spoofing bypass) and a forged JWT using Nacos’s default signing key, then inserts a backdoor admin account into the Nacos database. The bcrypt hash is stored as blank due to a subprocess PATH issue.
19:35
19:34:36 → 19:35:18 UTC — corrective fix issued at 19:35:07
Error diagnosed and corrected in 31 seconds
Login fails at 19:34:36. By 19:34:48 the agent has diagnosed two possible causes simultaneously. At 19:35:07 a corrective payload switches to import bcrypt directly rather than via subprocess. The bad account is deleted, the hash regenerated correctly, the account recreated, and login confirmed at 19:35:18. The entire correction cycle ran in 42 seconds from failure to success — 31 seconds from failure to corrective payload.
+m
Shortly after Nacos takeover
1,342 configs encrypted — encryption key discarded
All 1,342 Nacos service configuration items are encrypted via MySQL’s AES_ENCRYPT(). The original config and history tables are dropped. A README_RANSOM table is created with a Bitcoin address and Proton Mail contact. The encryption key is generated from two concatenated UUID4 values, printed once to stdout, and never stored or transmitted. Payment cannot restore the data. The ransom note claims AES-256; MySQL’s AES_ENCRYPT() defaults to AES-128-ECB.
+2m
~2 minutes after encryption
Database schemas dropped — agent narrates its own targets
The agent escalates to full schema deletion. When a DROP DATABASE fails due to a cross-database foreign key constraint, the next payload adds SET GLOBAL FOREIGN_KEY_CHECKS=0 before the command. Code comments inside the payloads name databases as “high-ROI targets to drop” and claim data has been backed up to a staging IP. Sysdig found no evidence any backup was made.
“Security research found that 72% of organizations cannot detect credential misuse in real time, with most identifying unauthorized privileged access within hours rather than minutes. An AI agent operating at machine speed can move from initial access to full destruction well inside that window.”
Shane Barney, CISO, Keeper Security — via Keeper Security “Identity Security at Machine Speed” 2026

Defender’s action list — Click each item to mark complete
Every Lock JADEPUFFER Picked — and How to Change It
Seven controls that would have stopped this operation
Based on Sysdig’s recommendations — July 1, 2026 research report
0/7 completed

The JADEPUFFER operation, as documented by Sysdig on July 1, 2026, covered a complete ransomware cycle — initial access via CVE-2025-3248 in Langflow, credential harvesting across seven categories, lateral movement to a MySQL and Nacos production server using CVE-2021-29441 and a forged JWT, encryption of 1,342 configuration items, and mass schema deletion. The report also covered the operation’s documented limits: no confirmed data exfiltration, an encryption key that was generated and discarded, and a Bitcoin ransom address drawn from developer documentation whose exact origin Sysdig could not determine. Related coverage of the evolving technology infrastructure landscape and AI tool access and export controls has been published separately. Full indicators of compromise are available in the Sysdig Threat Research Team’s original report.

Leave a comment