San Francisco cloud-security company Sysdig published research on July 1, 2026 documenting what it calls the first complete, end-to-end ransomware operation driven autonomously by a large language model. The Sysdig Threat Research Team dubbed the operator JADEPUFFER, which used an unauthenticated remote code execution flaw in Langflow — CVE-2025-3248 — to seize an internet-facing server, then chained reconnaissance, credential theft, lateral movement, persistence and destruction across two victims in a single, self-narrating campaign.
Langflow to MySQL in Minutes
The agent's first stop was an exposed Langflow instance running the AI-workflow framework maintained by DataStax. Immediately after remote code execution, the LLM enumerated the host, swept for OpenAI, Anthropic, DeepSeek, Alibaba, Tencent, Huawei, AWS and GCP secrets in parallel, and looted the Langflow Postgres database of stored API keys and user records. It then probed default MinIO buckets at minio.internal:9000, adapted its XML parser on the fly when the S3 endpoint refused JSON, and pulled a credentials.json file containing an access key/secret pair. A 30-minute cron beacon to 45.131.66.106:4444 gave the agent persistence before it pivoted to the real target: a production server running MySQL and Alibaba's Nacos configuration service.
Self-Narrating Code and 31-Second Fixes
Four independent lines of evidence convinced Sysdig this was not a scripted toolkit. Payloads were saturated with natural-language commentary explaining why each action was taken — including ROI prioritisation of the "largest" database — the way LLM-generated code does by default. When a first backdoor-admin insert failed because bcrypt was missing from the subprocess PATH, the agent rebuilt a corrected multi-step payload in 31 seconds, diagnosing the root cause rather than blindly retrying. A DROP DATABASE that hit a foreign-key constraint was reissued with SET GLOBAL FOREIGN_KEY_CHECKS=0 and reset afterwards. Sysdig director of threat research Michael Clark logged more than 600 distinct, purposeful payloads across the compressed window.

The Unrecoverable Encryption
JADEPUFFER used MySQL's AES_ENCRYPT() to lock 1,342 Nacos configuration items, dropped the original config_info and history tables, then created a README_RANSOM table with a Bitcoin address and a Proton Mail contact. The AES key was generated with random UUIDs, printed to stdout, and never persisted or transmitted — meaning even paying the ransom cannot restore the data. The wallet address, 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, is the canonical Pay-to-Script-Hash example embedded in Bitcoin developer documentation, saturating LLM training corpora as a placeholder. Whether the LLM hallucinated the address or the operator wired in a live wallet is, Sysdig says, impossible to determine without visibility into the agent's system prompt.
What Defenders Do Next
Sysdig recommends patching Langflow to a release that fixes CVE-2025-3248, scoping provider secrets away from internet-reachable orchestration servers, changing Nacos's documented default JWT signing key, and running runtime detection to catch database processes chained to outbound network activity. The team notes that agents let unskilled attackers spray the entire historical vulnerability catalogue, so the long tail of unpatched infrastructure becomes more exposed, not less. The report lands the same week CISA added a SharePoint RCE flaw to its KEV catalog and days after a Linux kernel epoll flaw let attackers grab root.
Reporting based on coverage from Sysdig, SiliconANGLE and The Register.
