Cloud security company Sysdig Inc. has documented what it says is the first ransomware operation carried out from start to finish by an autonomous artificial intelligence agent, a campaign it calls JadePuffer.
Sysdig’s Threat Research Team spelled out its findings in research published last week. A large language model ran the whole intrusion. It broke into an exposed server, harvested credentials, pushed deeper into the network and finally encrypted and wiped a company’s production database.
Ransomware has always kept a person in the loop, at the keyboard, or at least behind the script the malware runs. Cut that person out and the price of an attack drops to whatever it costs to rent an agent.
In the case researchers detail, JadePuffer forced its way in through CVE-2025-3248, a critical flaw in Langflow. Langflow is the open-source framework many teams lean on to build AI apps and agent workflows. The bug rates 9.8 for severity, near the top of the scale. A fix had shipped well before the attack and authorities added the flaw to their list of exploited bugs in May 2025. Scores of exposed instances were never updated anyway.
Once inside, the agent went looking for secrets. It dumped Langflow’s PostgreSQL database and pulled out whatever credentials it held. The haul was broad: application programming interface keys for AI services such as those from OpenAI Group PBC, Anthropic PBC, DeepSeek and Google LLC, plus cloud logins spanning Amazon Web Services Inc., Microsoft Azure, Alibaba Group Holding Ltd. and Tencent Holdings Ltd.
Cryptocurrency wallet keys and database passwords went too. A nearby MinIO object store fell because nobody had changed its factory-default login. Before moving on, the agent planted a scheduled task that pinged the attacker’s server every 30 minutes.
Then came the real target: a second internet-facing server, this one running a MySQL database alongside Alibaba’s Nacos configuration platform. The agent logged in as root. To take over Nacos, it reached for a 2021 authentication bypass and a default signing key Nacos has shipped unchanged since 2020 then quietly added an administrator account of its own.
What followed was the payload. It encrypted all 1,342 Nacos configuration items, dropped the original tables and left behind a ransom note demanding Bitcoin, with a Proton Mail address for contact.
Paying would not help. The encryption key was generated at random, printed to the screen a single time and then discarded, never saved and never sent anywhere. Meet the demand and the data still stays locked. The agent also went beyond encryption, deleting whole database schemas outright. It even left a note in its own code claiming it had already copied the data elsewhere, though Sysdig found nothing to back that up.
The researchers ascertained that a machine was at the wheel as the code gave it away. Payloads came stuffed with plain-English notes explaining the reasoning behind each step, the sort of running commentary no human attacker bothers to write but a model spits out by habit.
The agent also fixed its own errors at a speed no person could match. In one instance it went from a failed login to a correct, multistep fix in 31 seconds, having worked out the actual cause instead of just hammering retry. Across the whole operation, Sysdig tallied more than 600 distinct, deliberate payloads.
The find comes amid a busy year for AI-driven crime. Back in August, ESET spol s.r.o researchers billed PromptLock as the first AI-powered ransomware, only for it to turn out to be a university lab prototype rather than anything loose in the wild. Anthropic, in that same stretch, described a genuine extortion spree that bent its Claude Code tool against at least 17 organizations. By November the company was reporting something bigger, what it called the first largely autonomous cyberattack, tied to alleged Chinese spies. A human still had a hand on the wheel in all of them.
Sysdig’s advice will sound familiar: Patch Langflow and keep its code-running endpoints off the open internet. Keep secrets in a dedicated manager, not sitting in the environment of an internet-facing AI tool. And never leave a database’s admin account reachable from the web. The firm’s larger point is about speed: Attackers can now turn a fresh advisory into a working exploit within hours, so watching for bad behavior at runtime counts for more than winning the patch race.
The significance is in the automation, not the sophistication, said Ensar Seker, chief information security officer at SOCRadar Cyber Intelligence Inc. “What changed is that an AI agent was able to autonomously chain reconnaissance, exploitation, credential discovery, lateral movement, and extortion while adapting to failures in real time,” Seker told SiliconANGLE. “That dramatically lowers the operational cost of ransomware campaigns and allows attackers to execute far more operations simultaneously than a human team could manage.”
He cautioned against fixating on the headline, noting the intrusion began with an exposed instance running a publicly known bug. “AI is accelerating attackers, but it is still exploiting fundamental security weaknesses,” he said.
Erich Kron, a security awareness advocate and chief information security officer advisor at KnowBe4 Inc., said the arrival of such attacks was inevitable. “Given the amount of money that cybercrime brings in every year, it was only a matter of time before bad actors were leveraging the latest technology for truly autonomous attacks,” Kron told SiliconANGLE. “Agents differ significantly from LLMs in the way that they are goal-oriented entities that will figure out how to accomplish a feat given the tools they are provided. This is a very efficient way to run attacks against organizations at any time of the day or night and across the globe.”
Image: Sysdig
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
