For the first time, a fully autonomous AI agent has been caught carrying out an end-to-end ransomware attack, breaking into a server, stealing credentials, encrypting a production database, and even writing its own ransom note—all without a human at the keyboard.
The security firm Sysdig documented the operation and named the agentic intruder JadePuffer. The attack, which unfolded against an internet-exposed infrastructure, signals a grim milestone in cybercrime: the skill floor for running a ransomware campaign has dropped to whatever it costs to rent an AI agent. If that agent is running on stolen credentials through a technique known as LLMjacking, the cost to an attacker is effectively zero.
Michael Clark, director of threat research at Sysdig, said the most striking characteristic was the LLM’s behavior. “The operation adapted in real time, retrying failed steps within refined parameters,” Clark wrote. “In one sequence, it went from a failed login to a working fix in 31 seconds.”
How JadePuffer Broke In
The initial foothold came through CVE-2025-3248, a critical missing-authentication vulnerability in Langflow, an open-source tool used to build AI applications and agent workflows. The flaw allowed remote, unauthenticated attackers to execute arbitrary Python code on the host. Despite a patch being released in Langflow 1.3.0 and CISA adding the bug to its Known Exploited Vulnerabilities catalog in May 2025, many servers remained unpatched and publicly accessible.
Once inside the Langflow instance, JadePuffer immediately began mapping the machine and scanning for secrets. It collected LLM provider API keys for OpenAI, Anthropic, DeepSeek, and Gemini, along with cloud credentials from Chinese providers like Alibaba (阿里巴巴) and Tencent, as well as AWS, Google Cloud, and Azure. Cryptocurrency wallet keys and database logins were also swept up. The agent even raided a MinIO storage server using its unchanged factory-default credentials.
To maintain persistence, JadePuffer installed a crontab entry that phoned home to an attacker-controlled server at 45.131.66[.]106 every 30 minutes. It then pivoted to its real target: a separate, internet-exposed production server running a MySQL database and Alibaba’s Nacos configuration service.
The Attack on Nacos
Nacos is an open-source service-discovery and dynamic configuration platform widely used in microservices applications. JadePuffer connected to the server’s exposed MySQL port using root credentials. Sysdig noted that it could not determine where those root credentials came from; they were not stolen from the victim’s environment.
With root database access, the agent attacked Nacos through multiple vectors. It exploited a 2021 authorization bypass flaw (CVE-2021-29441) and forged a valid JSON web token using Nacos’s default signing key, which has shipped unchanged since 2020. It then injected a backdoor administrator account directly into the Nacos backing database.
Finally, JadePuffer encrypted all 1,342 Nacos service configuration items using MySQL’s built-in AES encryption function. It dropped the original tables and left a ransom note demanding Bitcoin, complete with a Proton Mail contact address.
The Ransom That Can Never Be Paid
There is a cruel twist for the victim. JadePuffer generated a random encryption key, printed it to the screen once, and never saved or transmitted it anywhere. The agent escalated from row-level deletion to dropping entire database schemas without backing up any of the encrypted data. Even if the victim paid the ransom, the data is irrecoverable.
The Bitcoin address in the ransom note—3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy—is an exact match for the sample address used throughout Bitcoin’s own developer documentation. It is a real, active wallet with a long transaction history. Sysdig cannot determine whether the model hallucinated a familiar-looking address from its training data, or whether the human operator deliberately used a real wallet that happens to match the famous example.
The Telltale Signs of an AI Operator
Sysdig identified several pieces of evidence that JadePuffer was an AI agent rather than a human attacker. The attack payloads were filled with plain-English annotations explaining the reasoning behind each step—the kind of running commentary that human hackers rarely bother to write but that LLM-generated code produces reflexively. Sysdig counted more than 600 separate, purposeful payloads across the entire operation.
The agent’s error-correction behavior was another giveaway. When an initial attack technique failed, JadePuffer diagnosed the exact cause and crafted a refined, multi-step fix in seconds rather than blindly retrying the same approach. In one documented sequence, it went from a failed login to a working solution in just 31 seconds.
Clark noted that while none of the individual techniques were particularly sophisticated or novel, the fact that an LLM strung them together into a complete ransomware operation against neglected internet-facing infrastructure is a watershed moment.
A Rapidly Shifting Threat Landscape
JadePuffer is the latest escalation in a fast-moving year for AI-driven attacks. In August 2025, researchers at ESET flagged PromptLock, initially billed as the first AI-powered ransomware, though it later turned out to be a lab prototype from NYU called Ransomware 3.0. Around the same time, Anthropic reported a real extortion campaign that used its Claude Code tool to hit at least 17 organizations with demands exceeding $500,000, though a human still steered that operation. In November 2025, Anthropic disclosed what it called the first largely autonomous cyberattack, a Chinese state-linked espionage effort in which Claude wrote exploits and stole data with minimal human involvement.
JadePuffer represents the next logical step: a fully automated, agent-driven attack chain that requires no human intervention from initial access to data destruction.
Defensive Measures
Sysdig urged security teams to immediately patch Langflow to a version that fixes CVE-2025-3248 and to never expose code-execution or validation endpoints to the internet. Nacos instances should be hardened by changing the default signing key, kept off the public internet, and never connected to their database as root. AI orchestration servers should not be run with provider API keys or cloud credentials in their environment.
Because attackers can now weaponize a fresh vulnerability advisory within hours, Sysdig argues that runtime detection of malicious behavior is becoming more critical than racing to patch every known flaw. The security firm published a full set of indicators of compromise, including the command-and-control server IP, the staging server, and the ransom contact details.
As agent tools continue to mature, any exposed server, configuration store, or database admin login should be treated as something a machine will probe—not just a human.
