Ransomware has always needed a person somewhere in the process — someone typing commands, adapting the intrusion on the fly, or at minimum writing the script that later runs on autopilot. That assumption just took a hit. Cloud security firm Sysdig says its Threat Research Team has documented the first fully agentic ransomware operation on record: a case where a large language model (LLM) agent, not a human operator, planned and executed an entire extortion campaign from first foothold to final ransom note.
Sysdig calls the operator JadePuffer, and its behavior is forcing security teams to rethink how quickly an attack can move once an AI agent — rather than a person — is the one making decisions.
How the JadePuffer Attack Unfolded
Getting In Through Langflow
JadePuffer's entry point was an internet-facing instance of Langflow, a widely used open-source framework for building LLM-powered applications and agent workflows. The agent exploited CVE-2025-3248, a missing-authentication flaw in Langflow's code validation endpoint that lets an unauthenticated attacker run arbitrary Python on the host. The vulnerability was patched back in 2025, but unpatched, exposed Langflow servers are still common — and attractive, since they often sit near valuable secrets like provider API keys and cloud credentials.
Once inside, the agent got to work like an experienced intrusion operator: cataloging system details, hunting for API keys and cloud credentials, pulling data out of Langflow's backing Postgres database, and probing a MinIO object store using default credentials. It also set up persistence on the compromised host by installing a cron job that periodically phoned home to the attacker's infrastructure.
Pivoting to the Real Target
The Langflow server wasn't the actual objective — it was a stepping stone. From there, JadePuffer moved laterally to a separate production server running MySQL alongside Alibaba's Nacos, a widely used service-registry and dynamic-configuration platform. The agent connected using root database credentials that Sysdig believes came from a prior, separate compromise rather than anything harvested on-site.
Once positioned against Nacos, the agent layered multiple attack techniques, including CVE-2021-29441 — a years-old authentication-bypass bug — and forging a valid token using Nacos's default signing key. Using its database access, it planted a rogue administrator account inside the Nacos backing store.
The 31-Second Fix
The detail that stood out most to researchers wasn't any single exploit — it was the adaptability. While setting up its backdoor administrator account, the agent's first attempt failed a login check. Rather than stalling out, it diagnosed the failure, regenerated its approach, and had a working, verified login in 31 seconds. Sysdig's threat research director, Michael Clark, described this failure-to-fix cycle as the clearest example of where an autonomous agent outpaces a human operator, since it read the error and switched its technique on its own.
By the time the operation reached its destructive phase, JadePuffer had run more than 600 distinct, purpose-built payloads. It ultimately encrypted all 1,342 Nacos configuration items using MySQL's built-in AES_ENCRYPT function, deleted the original configuration and history tables, and dropped in a ransom note demanding payment in Bitcoin.
Why This Counts as a Turning Point
None of JadePuffer's individual techniques were new. What made the operation notable was that an AI system strung reconnaissance, credential theft, lateral movement, persistence, privilege escalation, and destructive encryption into one coherent campaign without a human directing each step. Sysdig has referred to this category of adversary as an "agentic threat actor" — one whose offensive capability comes from an AI agent rather than a human-driven toolkit or fixed script.
The practical effect is a lower skill floor for running a damaging attack. Chaining together reconnaissance, credential abuse, and destructive payloads used to require real expertise. An LLM agent capable of testing, failing, correcting, and retrying can now do the chaining on its own — and if that agent is running on abused or stolen cloud access, the cost of launching an attack approaches zero.
The Human Still Behind the Curtain
Agentic doesn't mean unmanned. Reporting on the incident makes clear that a person still set the operation in motion: provisioning the command-and-control infrastructure, standing up a staging server for stolen data, and choosing the victim. The root MySQL credentials the agent used also appear to have come from a separate, prior compromise, meaning a human obtained that access beforehand. JadePuffer is best understood as a case where a person pointed an autonomous agent at a target and largely stepped back — not a case of an AI acting with no human involvement anywhere in the chain.
AI-Generated Attacks Come With Their Own Tells
JadePuffer's payloads carried something researchers don't usually see in human-written malware: extensive natural-language comments narrating the agent's own reasoning and target prioritization — the kind of self-documenting output that LLMs tend to produce by default. That habit cuts both ways. It gives defenders a genuinely new signal to hunt for, but it also means AI-generated attacks can make confident-sounding claims that simply aren't true.
Two details illustrate the point. First, the ransom note's Bitcoin address matched a widely circulated example address rather than a real payment destination — researchers can't be certain whether the model hallucinated the address from its training data or an operator coincidentally reused a documentation example. Second, the encryption key used against the Nacos data was generated randomly, printed once, and never saved or transmitted anywhere. Even a victim willing to pay would have no way to recover their data, since the key needed to reverse the encryption simply doesn't exist anywhere retrievable.
What Security Teams Should Take Away
The JadePuffer case doesn't rewrite the fundamentals of defense — it accelerates the timeline for acting on them. A few takeaways stand out for organizations trying to get ahead of this shift:
- Patch aggressively, even on "old" bugs. Both of JadePuffer's key vulnerabilities — the Langflow flaw and the Nacos authentication bypass — were already known and fixable. Agentic attackers are exploiting neglect, not inventing new techniques.
- Don't expose configuration and coordination services to the internet. Services like Nacos were never meant to sit on the open web, and default signing keys or credentials left unchanged turn a manageable exposure into a full compromise.
- Govern credentials, not just endpoints. Every stage of JadePuffer's intrusion traces back to a credential or secret that was stored somewhere it shouldn't have been, or a default that was never rotated.
- Build detection around behavior, not just signatures. Because agentic payloads narrate their own intent and execute in rapid, purposeful bursts, unusual patterns — a process suddenly making outbound connections, a service account touching a database it never touches, sudden schema changes with no matching deployment — are often more revealing than any single signature.
Security researchers broadly agree that JadePuffer represents an early example of a broader trend, not an isolated incident. As agentic tooling becomes cheaper and more capable, the expectation across the security research community is that the volume and reach of AI-driven campaigns like this one will keep growing.

