JADEPUFFER Agentic AI Ransomware Attack

JADEPUFFER agentic AI ransomware is, according to Sysdig’s Threat Research Team, the first publicly documented case of a ransomware attack executed start to finish by an autonomous AI agent — from initial access through a Langflow vulnerability to database encryption and extortion, with no human operator directing any step.
What Happened
Sysdig identified JADEPUFFER, this agentic AI ransomware operation, as what it calls an “agentic threat actor” — an operator whose entire attack capability was delivered by an AI agent rather than a human-driven toolkit. The agent gained initial access through CVE-2025-3248, a missing-authentication remote code execution flaw in Langflow’s code validation endpoint, patched by the vendor in April 2025 and added to CISA’s Known Exploited Vulnerabilities catalog the following month.
From that foothold, the AI agent autonomously dumped Langflow’s PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a connected MinIO object store. The enumeration behavior was notably adaptive: when an initial API request expecting JSON received an XML response instead, the agent immediately rewrote its own parser to match the unexpected schema and re-issued the request — without any human intervention.
The agent then pivoted to a separate, internet-facing production MySQL server running Alibaba Nacos, a naming and configuration service, using root credentials whose origin Sysdig could not determine. It exploited CVE-2021-29441, a known Nacos authentication-bypass flaw, to create rogue administrator accounts, then encrypted 1,342 service configuration items using MySQL’s built-in AES_ENCRYPT() function, deleted the original tables, and created an extortion table containing a ransom demand, a Bitcoin payment address, and a Proton Mail contact address. In one documented sequence, the agent diagnosed and corrected a failed login attempt in 31 seconds. Notably, the encryption key was printed once during the operation and never saved or transmitted elsewhere — meaning even a victim willing to pay would have no guaranteed path to recovery.
Why It Matters
JADEPUFFER is the clearest milestone yet in a 2026 progression that has moved from AI-assisted vulnerability discovery, to AI-assisted exploit development, to AI-generated attack tooling, and now to full autonomous execution of an intrusion-to-extortion chain. Every one of JADEPUFFER’s individual techniques — exploiting a known CVE, dumping a database, encrypting data, leaving a ransom note — is unremarkable on its own. What is new is that no human had to direct, correct, or even monitor any of it in real time, and the agent adapted to unexpected conditions (like the JSON/XML mismatch) the way a competent human operator would, but at machine speed.
For incident response teams, this breaks a quiet assumption baked into most playbooks: that attacker mistakes and hesitation create detection windows. An agent that fixes its own errors in 31 seconds does not behave like the human adversaries most detection tooling and response runbooks were tuned against.
What You Should Do Now
- Patch any internet-facing Langflow instance to a version that addresses CVE-2025-3248 immediately, and confirm no instance is reachable from the public internet without authentication in front of it.
- Audit any AI-orchestration or automation server (Langflow, similar low-code AI platforms) for stored cloud provider API keys or credentials; these should be scoped to a secrets manager, never held directly on a web-reachable process.
- Review Nacos or similar configuration-service deployments for CVE-2021-29441 and other known authentication-bypass issues; this vulnerability is four years old and still being actively exploited in 2026.
- Add runtime behavioral detection for database processes issuing bulk AES_ENCRYPT() calls or mass table drops — signature-based detection will not catch AI-generated attack sequences that vary each time.
DIESEC Perspective
This is a pattern we expect to accelerate rather than remain a one-off. The interesting part isn’t that an AI agent could chain together known vulnerabilities and public exploitation techniques — a capable human red-teamer could do the same. The interesting part is that it needed no supervision to do so, and that its self-correction speed compresses the “attacker fumbling” window that a lot of detection strategy quietly relies on. Any organization running internet-facing AI orchestration tools should treat them with the same exposure discipline as a database server, not a developer convenience tool.
Not sure whether your organization’s AI orchestration or low-code automation platforms are exposed the same way Langflow was here? Contact DIESEC for a rapid AI infrastructure exposure assessment.
Sources: Sysdig | The Hacker News
Published: 2026-07-08 | Category: AI Security | ~4 min read

