What happened
Researchers from Sysdig identified what they believe is the first documented case of a ransomware operation conducted entirely by a large language model agent.
The ransomware operation, called JadePuffer, used an autonomous AI agent to carry out multiple phases of the attack, including reconnaissance, credential theft, lateral movement, persistence, privilege escalation, and data encryption.
The attack began with exploitation of CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, an open-source framework used to build LLM applications.
After gaining code execution on the Langflow instance, the AI agent dumped the Langflow PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store.
Researchers said the agent adapted when earlier steps failed. In one example, when a MinIO API request returned XML instead of JSON, the agent adjusted its parsing logic in the next payload.
The attacker also established persistence on the Langflow host by installing a cron job that beaconed to attacker infrastructure every 30 minutes.
From the Langflow environment, the attacker pivoted to a production MySQL server running Alibaba Nacos using root credentials whose origin researchers could not determine.
The Nacos environment was targeted with multiple payloads, including one that exploited CVE-2021-29441, an authentication bypass vulnerability that can create rogue administrator accounts.
The AI agent then probed for container escape methods and deployed the ransomware payload. Researchers said JadePuffer encrypted 1,342 Nacos service configuration items, deleted the original configuration and history tables, and created an extortion table containing the ransom demand, a Bitcoin payment address, and a Proton Mail contact.
The ransom note claimed the data was encrypted with AES-256, though researchers believe the actual encryption was likely weaker. They also found that the encryption key was randomly generated but not stored or transmitted to the attacker.
The Bitcoin address in the ransom note was a public example address commonly used in documentation, suggesting the AI agent may have reproduced it from training data rather than generating a real payment destination.
Researchers said the case shows that agentic threat actors are no longer theoretical. However, they also noted that LLM-generated payloads can create new detection opportunities because of their structure, comments, and operational patterns.
Who is affected
Organizations running exposed Langflow instances are directly affected, especially if they have not patched CVE-2025-3248.
The risk is highest for internet-facing AI application environments that contain cloud credentials, API keys, databases, object storage access, or internal service credentials.
Organizations using Nacos, MinIO, PostgreSQL, MySQL, containers, or AI application frameworks should also pay attention because the attack moved from an exposed AI app into production services and configuration data.
Security teams should treat exposed AI development tools and agent frameworks as part of the enterprise attack surface, not as isolated experimental systems.
Why CISOs should care
This incident shows how AI agents can compress the ransomware kill chain. The campaign reportedly used an autonomous agent to perform reconnaissance, adapt to failures, steal credentials, move laterally, establish persistence, escalate privileges, and encrypt data.
For CISOs, the Langflow entry point is especially important. AI application frameworks are increasingly deployed quickly, sometimes with minimal hardening, while still holding valuable secrets such as API keys, environment variables, cloud credentials, and database access.
The attack also highlights the risk of configuration data. JadePuffer encrypted Nacos service configuration items rather than only files on a traditional endpoint. That kind of disruption can affect service discovery, application behavior, production availability, and recovery operations.
At the same time, the apparent AI mistakes are meaningful. The unused or unrecoverable encryption key and example Bitcoin address suggest current AI-driven attacks may still produce operational errors, which defenders can use as detection and investigation signals.
3 practical actions
- Patch and restrict Langflow deployments: JadePuffer gained initial access through CVE-2025-3248 in Langflow. CISOs should patch affected instances, remove unnecessary internet exposure, and place AI development tools behind strong authentication and trusted network controls.
- Harden secrets and service configuration stores: The agent searched for environment variables, sensitive files, credentials, MinIO access, and Nacos configuration data. Security teams should limit secrets exposure, rotate credentials after suspected compromise, and monitor access to configuration databases and object stores.
- Detect agentic attack behavior, not just known malware: The attack adapted to errors, generated new payloads, installed cron persistence, and used natural-language-style comments in code. Defenders should look for rapid iterative command execution, unusual script generation, suspicious cron jobs, automated enumeration, and abnormal database encryption or table deletion activity.
Also on the news today:
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

