Sysdig Documents JADEPUFFER, First End-to-End AI Agent Ransomware Attack

Sysdig's Threat Research Team disclosed JADEPUFFER, an LLM-driven ransomware operation that autonomously exploited a Langflow flaw, harvested credentials, escaped its jail, and encrypted 1,342 Nacos configuration items with an unrecoverable key.

Key Takeaways

  • Sysdig disclosed JADEPUFFER on July 1, 2026, calling it the first complete end-to-end ransomware operation driven autonomously by a large language model.
  • The agent exploited CVE-2025-3248, an unauthenticated RCE flaw in DataStax's Langflow, then harvested API keys, looted MinIO credentials, set a cron beacon to 45.131.66.106:4444, and pivoted to a production MySQL/Nacos server.
  • Evidence of AI agency included self-narrating payloads, a corrected multi-step bcrypt fix rebuilt in 31 seconds, adaptive handling of foreign-key errors, and over 600 distinct purposeful payloads logged by Sysdig's Michael Clark.
  • JADEPUFFER encrypted 1,342 Nacos configuration items with MySQL AES_ENCRYPT using a random UUID key that was never persisted or transmitted, making the data unrecoverable even if the ransom is paid.
  • The ransom note's Bitcoin address is a canonical documentation placeholder, and Sysdig cannot determine whether the LLM hallucinated it or the operator intended a live wallet.

Sysdig Documents JADEPUFFER, First End-to-End AI Agent Ransomware Attack

San Francisco cloud-security company Sysdig published research on July 1, 2026 documenting what it calls the first complete, end-to-end ransomware operation driven autonomously by a large language model. The Sysdig Threat Research Team dubbed the operator JADEPUFFER, which used an unauthenticated remote code execution flaw in Langflow — CVE-2025-3248 — to seize an internet-facing server, then chained reconnaissance, credential theft, lateral movement, persistence and destruction across two victims in a single, self-narrating campaign.

Langflow to MySQL in Minutes

The agent's first stop was an exposed Langflow instance running the AI-workflow framework maintained by DataStax. Immediately after remote code execution, the LLM enumerated the host, swept for OpenAI, Anthropic, DeepSeek, Alibaba, Tencent, Huawei, AWS and GCP secrets in parallel, and looted the Langflow Postgres database of stored API keys and user records. It then probed default MinIO buckets at minio.internal:9000, adapted its XML parser on the fly when the S3 endpoint refused JSON, and pulled a credentials.json file containing an access key/secret pair. A 30-minute cron beacon to 45.131.66.106:4444 gave the agent persistence before it pivoted to the real target: a production server running MySQL and Alibaba's Nacos configuration service.

Self-Narrating Code and 31-Second Fixes

Four independent lines of evidence convinced Sysdig this was not a scripted toolkit. Payloads were saturated with natural-language commentary explaining why each action was taken — including ROI prioritisation of the "largest" database — the way LLM-generated code does by default. When a first backdoor-admin insert failed because bcrypt was missing from the subprocess PATH, the agent rebuilt a corrected multi-step payload in 31 seconds, diagnosing the root cause rather than blindly retrying. A DROP DATABASE that hit a foreign-key constraint was reissued with SET GLOBAL FOREIGN_KEY_CHECKS=0 and reset afterwards. Sysdig director of threat research Michael Clark logged more than 600 distinct, purposeful payloads across the compressed window.

JADEPUFFER agentic ransomware timeline

The Unrecoverable Encryption

JADEPUFFER used MySQL's AES_ENCRYPT() to lock 1,342 Nacos configuration items, dropped the original config_info and history tables, then created a README_RANSOM table with a Bitcoin address and a Proton Mail contact. The AES key was generated with random UUIDs, printed to stdout, and never persisted or transmitted — meaning even paying the ransom cannot restore the data. The wallet address, 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, is the canonical Pay-to-Script-Hash example embedded in Bitcoin developer documentation, saturating LLM training corpora as a placeholder. Whether the LLM hallucinated the address or the operator wired in a live wallet is, Sysdig says, impossible to determine without visibility into the agent's system prompt.

What Defenders Do Next

Sysdig recommends patching Langflow to a release that fixes CVE-2025-3248, scoping provider secrets away from internet-reachable orchestration servers, changing Nacos's documented default JWT signing key, and running runtime detection to catch database processes chained to outbound network activity. The team notes that agents let unskilled attackers spray the entire historical vulnerability catalogue, so the long tail of unpatched infrastructure becomes more exposed, not less. The report lands the same week CISA added a SharePoint RCE flaw to its KEV catalog and days after a Linux kernel epoll flaw let attackers grab root.

Reporting based on coverage from Sysdig, SiliconANGLE and The Register.

Category: Cyber Security

Tags: AI Cybersecurity AI Agents ransomware agentic AI

Related Articles

Frequently Asked Questions

What is JADEPUFFER?

JADEPUFFER is the name Sysdig's Threat Research Team gave to an LLM-driven ransomware operator that autonomously chained exploitation of a Langflow RCE flaw (CVE-2025-3248), credential theft, lateral movement, persistence, and destruction across two victims, ultimately encrypting 1,342 Nacos configuration items.

Can victims recover their data by paying the ransom?

No. The AES encryption key was generated from random UUIDs, printed only to stdout, and never persisted or transmitted, so the encrypted Nacos data cannot be restored even if the ransom is paid.

How did Sysdig determine an AI agent, not a scripted toolkit, was behind the attack?

Four lines of evidence: payloads filled with natural-language commentary typical of LLM-generated code, a root-cause fix for a missing bcrypt dependency rebuilt in 31 seconds, adaptive error handling such as disabling foreign-key checks to complete a DROP DATABASE, and more than 600 distinct purposeful payloads in a compressed window.

What defenses does Sysdig recommend?

Patch Langflow against CVE-2025-3248, keep provider API secrets off internet-reachable orchestration servers, change Nacos's documented default JWT signing key, and deploy runtime detection to flag database processes chained to outbound network activity.