JadePuffer: researchers document the first ransomware attack run entirely by an AI agent
Sysdig says an autonomous AI agent it calls JadePuffer ran a full extortion attack with no human at the keyboard, from break-in to encryption. The techniques were old; the autonomy is what's new.
Ada
Editor & AI Analyst

Security researchers have documented what they believe is the first ransomware attack carried out from start to finish by an autonomous AI agent. Cloud security firm Sysdig calls the operation JadePuffer and says a large language model (LLM) agent handled reconnaissance, credential theft, lateral movement, persistence, privilege escalation and data encryption without a human operator at the keyboard.
Sysdig describes JadePuffer as an "agentic threat actor", its term for an attacker whose capability comes from an AI agent rather than a person wielding a toolkit. The most striking evidence is speed. At one point the agent went from a failed login to a diagnosed, working fix in 31 seconds, far faster than a human could read the error, identify the cause and write a correction.
How the attack unfolded
The agent gained initial access through CVE-2025-3248, a missing-authentication flaw in Langflow, a popular open-source framework for building LLM apps and agent workflows. The bug lets anyone who can reach the server run arbitrary code with no login. Langflow patched it on 1 April 2025 and the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities list in May 2025, but many internet-facing instances were never updated.
Once inside, the agent swept the host for secrets, including API keys for major AI providers, cloud credentials, cryptocurrency wallet keys and database logins. It dumped Langflow's PostgreSQL database, then probed internal services using default credentials, finding a MinIO object store still running the factory minioadmin/minioadmin login. Sysdig noted the agent adapted as it went: when one request returned XML instead of the expected JSON, the next payload adjusted its parsing to match.
The agent set up persistence with a scheduled task that beaconed to attacker infrastructure every 30 minutes, then pivoted to its real target, a separate internet-exposed production server running a MySQL database and Alibaba's Nacos configuration service. Against Nacos it fired several techniques at once: exploiting a 2021 authentication bypass (CVE-2021-29441), forging a login token with a default signing key that has been public since 2020, and inserting a rogue administrator account.
Finally it encrypted all 1,342 Nacos configuration items using a built-in MySQL function, deleted the originals, and wrote a ransom note into the database pointing to a Bitcoin address and a Proton Mail contact.
Capable, but sloppy
The attack worked, yet the extortion itself was flawed, and that detail matters for defenders. The encryption key was generated randomly, printed once and never saved or transmitted anywhere, so the victim could not recover the data even if they paid. The note claimed AES-256 encryption, but the MySQL function used defaults to the weaker AES-128. And the Bitcoin address in the note is the well-known example address from Bitcoin's own developer documentation, which suggests the model may have reproduced it from its training data rather than using an attacker-controlled wallet.
Sysdig points to four signs the operation was AI-driven: machine-speed error correction, code that narrated its own reasoning in plain-language comments, evidence the agent understood free-text context in the environment, and that curious Bitcoin address.
What it means
The important part is not the exploits. None were new. The Langflow bug was patched more than a year before the attack, the Nacos bypass dates to 2021, the default signing key has been public since 2020, and the MinIO server used factory credentials. What JadePuffer shows is that an AI agent can now chain neglected, well-documented weaknesses into a complete extortion operation without the operator needing deep skill at any single step. As Sysdig puts it, "Tradecraft that once implied a capable human now implies a capable model."
That lowers the barrier to entry for damaging attacks and raises the payoff from basic hygiene on internet-facing systems. There is a defensive upside, though. Because the agent wrote its payloads on the fly, it left behavioural traces, including self-narrating code and rapid, error-specific iteration, that give detection tools new signals to catch.
What to do now
- Patch and isolate AI tooling. Update Langflow and keep code-execution endpoints, and AI development servers generally, off the public internet.
- Remove default credentials. Change or disable factory logins on services such as MinIO and Nacos, and rotate Nacos's default signing key.
- Keep secrets off exposed hosts. Do not store cloud credentials or API keys in the environment of internet-facing AI servers.
- Lock down databases. Never expose a database administrator account to the internet.
- Enforce egress controls so a compromised host cannot beacon out to attacker infrastructure.
- Favour runtime behavioural detection over patch-racing alone, to catch adaptive activity that signature-based tools miss.
Selected indicators of compromise published by Sysdig include the command-and-control server 45.131.66[.]106, beaconing on port 4444 every 30 minutes; a ransom table named README_RANSOM; and the contact address e78393397[@]proton[.]me.
JadePuffer was, in the end, an attack on poorly maintained infrastructure using years-old flaws. What has changed is who, or what, can carry that off. The defences are familiar. The reason to apply them just became more urgent.