JADEPUFFER: 6 Things to Know About the First AI-Driven Ransomware Operation
目次
- 1. What actually happened, step by step
- 2. The entry point was known, patched and ignored
- 3. What made this different from a scripted attack
- 4. There is no recovery path from this attack
- 5. The skill floor for ransomware has dropped materially
- 6. What organisations should do
- Immediate remediation priorities:
On July 1, 2026, researchers at Sysdig’s Threat Research Team published evidence of what they assess to be the first ransomware operation conducted end-to-end by a large language model. The operator, which Sysdig named JADEPUFFER, breached a server, harvested credentials, moved to a production database, encrypted 1,342 configuration items and destroyed the originals. No human issued a command. When the agent encountered a failed login attempt, it corrected its approach in 31 seconds and continued.
The implications are considerable, and not primarily technical.
1. What actually happened, step by step
JADEPUFFER gained initial access through CVE-2025-3248, a critical unauthenticated remote code execution flaw in Langflow, an open-source framework used to build LLM-driven applications. The flaw was patched in March 2025 and added to CISA’s Known Exploited Vulnerabilities catalog on May 5, 2025. The affected server had never been updated.

Once inside, the agent swept the environment in parallel for API keys, cloud credentials, cryptocurrency wallet seeds and database credentials, dumped Langflow’s PostgreSQL database, probed a MinIO object store using default credentials, and installed a cron job to beacon to attacker infrastructure every 30 minutes. The Langflow server was a staging post. The real target was a separate production system running a MySQL database and Alibaba’s Nacos configuration service, both internet-accessible, both inadequately hardened.
2. The entry point was known, patched and ignored
CVE-2025-3248 carries a CVSS score of 9.8. It had been on CISA’s Known Exploited Vulnerabilities list since May 2025, more than a year before this campaign. The Nacos service retained its default JWT signing key, publicly documented since 2020, making token forgery straightforward. The MySQL database was reachable on its admin port from the open internet. None of these were zero-days. The operation required no novel techniques — only neglected infrastructure and an agent capable of chaining familiar weaknesses without human direction.
3. What made this different from a scripted attack
Traditional attack scripts are brittle. They fail when the environment deviates from expectations. JADEPUFFER did not. When a MinIO enumeration request returned XML rather than the expected JSON, the agent adapted its parser and reissued the request. When an administrator account creation failed on Nacos, it corrected the payload and verified success in 31 seconds. Sysdig observed more than 600 distinct purposeful payloads in a compressed timeframe. The agent read its own output, identified failure and self-corrected — without instruction.
4. There is no recovery path from this attack
The ransom demand is, in effect, unenforceable. The AES encryption key was generated randomly, printed once to standard output and never stored or transmitted. Even a willing attacker cannot provide it. The final phase escalated from row deletion to dropping entire database schemas. Sysdig found no evidence that any data was preserved on the attacker’s claimed staging server. The only viable recovery path is immutable offline backups with a tested restoration process. Organisations without them have no path at all.
5. The skill floor for ransomware has dropped materially
Ransomware has historically required technical capability to execute — someone who could adapt an intrusion when it stalled, correct a broken payload, or direct lateral movement. JADEPUFFER delegates that tactical layer to a model. If the agent runs on stolen LLM API credentials obtained through prior compromise, the operational cost to the attacker approaches zero. The barrier to running a complete database extortion campaign is now the cost of configuring an agent and pointing it at exposed infrastructure — a substantially lower threshold than the one most enterprise security programmes were designed around.
6. What organisations should do
The controls that would have stopped JADEPUFFER are not new. The difficulty is applying them to infrastructure that most organisations do not examine closely, and specifically to the category of AI-adjacent tooling that has been deployed rapidly over the past two years with the governance discipline of a productivity application rather than a production system.
Langflow and similar LLM orchestration frameworks execute arbitrary code, hold provider API keys, connect to internal databases and typically run with network access that was scoped for a prototype and never revisited. Any organisation running an LLM orchestration server should treat it as critical infrastructure from this point forward, not as a developer tool.
Immediate remediation priorities:
- Patch Langflow and remove its code-execution endpoint from internet exposure. CVE-2025-3248 has been on CISA’s KEV list since May 2025. The affected server in this campaign had never been updated.
- Strip API keys and cloud credentials from the server environment and move them to a secrets manager. Their presence in the Langflow environment was what made the initial compromise immediately productive for the agent.
- Change Nacos’s default JWT signing key. It has been publicly documented since 2020. Its continued use in production is an organisational failure, not a technical one.
- Close database administration ports to the internet without exception and verify that perimeter controls are actually enforced rather than assumed.
- Maintain immutable offline backups with tested restoration procedures. JADEPUFFER generated a ransom demand knowing payment was impossible — the encryption key was never stored or transmitted and cannot be recovered. The only viable recovery path is backups that cannot be reached through the same credentials the attacker already holds, with restoration procedures rehearsed under conditions that approximate an actual incident. Organisations without both have no recovery path regardless of what they pay.
The broader point is about visibility. The long tail of forgotten systems, AI servers, configuration stores, exposed internal services, default credentials, has always been a risk. What is new is that an agent can now find those systems, chain their weaknesses and complete an extortion operation before any human analyst is involved. Defenders who have not mapped their AI orchestration infrastructure and internet-facing database ports are operating blind against an adversary that works systematically, methodically and without pausing.
If your organisation runs Langflow, Nacos or any internet-facing AI orchestration infrastructure and you want to understand your exposure, reach out.
