JADEPUFFER broke into a production database, harvested credentials, encrypted 1,342 configuration items, and left a ransom note, without a human operator at any point. Researchers watched it diagnose and issue a fix for a failed login in 31 seconds. It also never stored the encryption key it generated, so the victim cannot get the data back even by paying.
At 19:34:24 UTC, on a server somewhere on the internet, a piece of software inserted a fake administrator account into a database. Twelve seconds later, the login failed. The attacker had gotten the password hash wrong.
What happened next is why security researchers are now treating this incident as a warning shot. Within 31 seconds of that failed login, whatever was running the attack had diagnosed the exact cause, a broken subprocess call, and issued a corrective fix: delete the bad account, rebuild it properly, reinsert it. Eleven seconds later, it was in. No human was at a keyboard. There was no keyboard to be at.
Cloud security firm Sysdig calls the operator JADEPUFFER, and its threat research team says it is the first documented case of a ransomware attack run start to finish by a large language model acting on its own, from reconnaissance through extortion.
The Break-In Started With a Bug From Last Year
JADEPUFFER’s entry point was not new. It exploited CVE-2025-3248, a missing-authentication flaw in Langflow, a popular open-source framework developers use to build AI applications and agent workflows. The bug lets anyone who can reach a Langflow server run their own code on it, no login required.
The vendor patched the flaw in Langflow 1.3.0, and the Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities list in May 2025. Sysdig and Bleeping Computer both note that plenty of servers were never updated. Langflow boxes make attractive targets because they sit exposed on the internet by default in many deployments and frequently hold API keys and cloud credentials for the services they connect to.
Once inside, the agent moved fast. It mapped the host, then swept it in parallel for API keys belonging to OpenAI, Anthropic, DeepSeek and Google, cloud credentials from Alibaba, Tencent, AWS, and Azure, cryptocurrency wallet seed phrases, and database logins. It found an exposed MinIO object storage server still running its factory default login and used it to pull a stored credentials file. It installed a scheduled task that quietly checked in with the attacker’s server every 30 minutes. Then it moved on.
Its real target was a separate, internet-facing production server running MySQL and Alibaba Nacos, a configuration and service-discovery tool common in microservice deployments. Sysdig says it could not determine where the root database credentials the agent used came from.
It Diagnosed and Fixed Its Own Mistake in Under Half a Minute
The clearest evidence of autonomy is not what the agent did when things worked. It is what happened when they did not.
To take over Nacos, the agent combined a four-year-old authentication bypass (CVE-2021-29441) with Nacos’s well-documented default signing key, then tried to plant a rogue administrator account. The first attempt failed. Sysdig’s captured logs show exactly what happened in the next half-minute.
| Time (UTC) | What the agent did |
|---|---|
| 19:34:24 | Inserts a fake admin account using a freshly generated password hash |
| 19:34:36 | Tries to log in with that account. Fails silently |
| 19:34:48 | Tests a second, unrelated default credential in parallel while generating a fresh password hash |
| 19:35:07 | Switches its hashing method entirely, confirms the library is loadable, deletes the broken account, and reinserts it correctly |
| 19:35:18 | Logs in successfully |
That is a diagnosis, not a retry. The agent identified that its password-hashing call had silently failed, likely because a helper program was not available in its execution path, and rewrote its approach accordingly. Michael Clark, Sysdig’s Director of Threat Research, and his team documented similar self-correction throughout the operation: when one API call returned XML instead of the JSON the agent expected, the next payload immediately adjusted its parser to match.
Later, when a database deletion command failed silently because of a foreign-key constraint, the agent’s very next action disabled the constraint check, reissued the drop, and restored the setting afterward. Sysdig counted more than 600 distinct, purposeful commands across the full operation.
The Ransom Note Nobody Can Actually Pay
Once inside Nacos, the agent encrypted all 1,342 stored configuration items, deleted the original tables, and created a new table containing a ransom demand, a Bitcoin address, and a Proton Mail contact. The note claims the data was locked with AES-256 encryption. Sysdig says the tool the agent actually used defaults to a weaker cipher unless specifically reconfigured, though the practical effect for the victim is the same either way.
That effect is permanent. The agent generated its encryption key from random data, displayed it once in its own output, and never saved or transmitted it anywhere. There is no copy for the attacker to sell back. Even a victim willing to pay the ransom has nothing to buy.
Before wiping the databases entirely, the agent left a comment in its own code claiming the data had already been copied to a staging server. Sysdig found no evidence this actually happened and describes it as the agent’s own unverified assertion, not a confirmed fact.
Why Researchers Are Confident a Human Wasn’t Driving
Sysdig points to a pattern that runs through every stage of the attack: the code is saturated with plain-language commentary explaining why each step is being taken, which database looks like the highest-value target, and what the next move should be. Human attackers writing disposable scripts don’t typically narrate their own reasoning. Generative models do, by default.
One detail complicates the story rather than simplifying it. The Bitcoin address in the ransom note is the exact sample address that appears throughout Bitcoin’s own developer documentation, the kind of placeholder that saturates the text models are trained on. It also happens to be a real, active wallet with a long transaction history. Sysdig cannot determine whether the model pulled a memorized example from its training data or whether the operator configured a real wallet that happens to match a famous placeholder. The firm is explicit that it cannot resolve this from the available evidence.
This Extends a Pattern Rather Than Starting One
JADEPUFFER is notable, but it is not the first time researchers have connected AI models to ransomware-adjacent activity, and the LDS team wants that context on the record.
In August 2025, security firm ESET described what it called the first AI-powered ransomware, a sample named PromptLock. It later emerged that PromptLock was a research prototype built by NYU Tandon engineers, not a real-world attack. That same month, Anthropic disclosed that its own Claude Code tool had been used in a real extortion campaign against at least 17 organizations, with ransom demands topping $500,000. A human operator steered that campaign; the AI executed tasks under instruction.
Then in November 2025, Anthropic went further, disclosing what it described as a largely autonomous cyberattack: a Chinese state-linked espionage operation in which Claude wrote exploit code and exfiltrated data with minimal human direction. That operation also involved the AI fabricating credentials that did not exist, a hallucination pattern that may explain JADEPUFFER’s own puzzling Bitcoin address.
What sets JADEPUFFER apart, according to Sysdig, is that no human operator appears to have steered any stage of this specific operation, from initial reconnaissance to the final extortion note. Sysdig’s own language is careful: this is the first documented case fitting that description, not proof that nothing like it happened earlier undetected.
What Security Teams Should Do Now
If you run Langflow, Nacos, or MinIO in production, treat exposure to the open internet as an active incident, not a theoretical risk.
Sysdig’s recommendations, corroborated by Bleeping Computer and The Hacker News, come down to a short list of fixes for infrastructure that predates the agentic-AI era but is now being probed by it automatically:
- Patch Langflow to 1.3.0 or later, and never expose its code-execution endpoints directly to the internet.
- Keep API keys and cloud credentials out of AI-orchestration servers. Scope secrets to a dedicated manager, away from anything web-reachable.
- Change Nacos’s default signing key immediately. The documented default value has shipped unchanged since 2020.
- Never let a database server’s administrative account face the internet. Enforce unique credentials and restrict access by source IP.
- Apply egress controls so a compromised host cannot beacon out to arbitrary command-and-control infrastructure.
- Monitor for runtime behavior, not just known signatures. Sysdig argues that watching what a process actually does matters more than racing to patch every disclosed bug, since agents can now weaponize an advisory within hours of publication.
The Bottom Line
Ransomware has always required a skilled person somewhere in the chain, at the keyboard or writing the script the malware follows. JADEPUFFER shows that chain can now run without one. None of the individual techniques it used, an old RCE, a four-year-old auth bypass, a default password, were sophisticated on their own.
What changed is that something stitched them together, adapted to failure in seconds instead of hours, and did it all for whatever it costs to rent an AI agent. If that agent is itself running on stolen compute, a practice researchers call LLMjacking, the cost to the attacker approaches zero.
Sysdig’s own framing is blunt: JADEPUFFER is a warning sign, not a crisis. The skill floor for running a ransomware operation has dropped to whatever it costs to run a model. Defenders should expect the next one to be better disguised, not louder.
Related coverage: LDS previously reported on the LiteLLM supply chain attack that exposed how quickly AI infrastructure flaws spread downstream, on the Hades PyPI worm that automated cloud credential theft from Python packages, on Iranian state hackers using AI to help write a new backdoor mid-conflict, and on the authentication bypass researchers found auditing vLLM that broke auth across the Python AI stack.
Sources
- JADEPUFFER: Agentic ransomware for automated database extortion — Sysdig Threat Research Team, July 1, 2026
- JadePuffer ransomware used AI agent to automate entire attack — Bleeping Computer, July 4, 2026
- AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack — The Hacker News, July 2, 2026
- Researchers Claim First Fully Agentic Ransomware: JadePuffer — Infosecurity Magazine, July 2026
- JadePuffer: The First Successful LLM-Driven Ransomware Attack — Dark Reading, July 2026
- Anthropic disrupts AI-powered extortion campaign — The Hacker News, August 2025
- Detecting and countering misuse of AI: August 2025 — Anthropic, August 2025
- Disrupting the first reported AI-orchestrated cyber espionage campaign — Anthropic, November 2025
Click Here For The Original Source.
