What happened
Researchers at Sysdig have documented what they describe as the first fully autonomous ransomware attack driven end-to-end by a large language model (LLM). The campaign, dubbed JadePuffer, completed an entire ransomware operation without requiring human intervention during the attack.
According to Sysdig, JadePuffer initially exploited CVE-2025-3248, a remote code execution vulnerability affecting Langflow, an open-source platform for building AI applications. After gaining initial access, the attack moved laterally to a separate Internet-facing production server hosting a MySQL database and Alibaba Nacos.
The AI agent then enumerated database contents, exfiltrated selected data, deleted the database, and left an extortion note demanding payment. Throughout the attack, it adapted its behavior in real time, retrying failed actions with modified parameters until successful.
Michael Clark, Director of Threat Research at Sysdig, noted that the malware’s payloads even included natural language reasoning and detailed annotations, highlighting how AI can autonomously coordinate multiple stages of an intrusion. Meanwhile, Johan Edholm, co-founder of Detectify, described the techniques as familiar but emphasized that their autonomous orchestration marks an important evolution in ransomware.
Who is affected
Organizations operating Internet-facing AI infrastructure are most immediately at risk, particularly those using vulnerable Langflow deployments or exposing code-execution services to the public Internet.
The attack also highlights broader risks for enterprises running cloud workloads, production databases, configuration management platforms such as Alibaba Nacos, or AI orchestration environments connected to sensitive credentials. As AI-driven offensive tooling becomes more accessible, organizations across industries should expect increasingly automated attacks that require little human oversight.
Why CISOs should care
JadePuffer demonstrates that AI can now coordinate an entire ransomware operation rather than simply assist attackers with individual tasks. Instead of relying on predefined scripts, the AI agent adjusted its actions dynamically when obstacles were encountered, reducing the need for experienced human operators.
For security leaders, this represents a shift in attacker capabilities. As autonomous offensive AI matures, organizations may face faster attacks, greater scale, and shorter response windows. Continuous monitoring, rapid patch management, and securing AI infrastructure will become increasingly important defensive priorities.
3 practical actions
- Patch Langflow deployments to versions that remediate CVE-2025-3248 and eliminate unnecessary Internet exposure.
- Review AI infrastructure for exposed code-execution endpoints, API keys, cloud credentials, and configuration services such as Alibaba Nacos.
- Strengthen continuous monitoring and threat detection to identify automated lateral movement and rapid attack progression before significant damage occurs.

