Skip to content
AI SecurityAgentic AIransomwarellm-security

The first AI agent ransomware: how JADEPUFFER automated a full attack chain

3 min read
Share

The first AI agent ransomware: how JADEPUFFER automated a full attack chain

On July 1, 2026, Sysdig's Threat Research Team published a report documenting something the security industry has been anticipating and dreading in equal measure: a ransomware operation carried out end-to-end by an AI agent, with no human operator directing individual steps. They named it JADEPUFFER. It is not a proof of concept. It is a documented intrusion against a real target, with a victim, a ransom note, and irrecoverable encrypted data.

The details matter because they tell us where we are on a curve that has been moving fast. AI-assisted malware has been documented for over a year. AI-generated phishing is table stakes. But JADEPUFFER is different: the agent made autonomous decisions across multiple phases of an intrusion, including diagnosing its own failures and correcting them in real time.

How the attack unfolded

The agent's entry point was CVE-2025-3248, a remote code execution flaw in Langflow, an open-source tool for building AI pipelines that is increasingly deployed in enterprise environments. Langflow was internet-facing and unpatched. From the initial compromise the agent harvested cloud provider credentials and LLM API keys stored in the environment. It then pivoted to a separate Alibaba Nacos configuration management server using a known 2021 authentication bypass vulnerability.

On the Nacos server the agent encrypted 1,342 configuration items and left a ransom note. The decryption key was never saved. Payment would accomplish nothing. Sysdig researchers noted that this was either an operational security decision by whoever built the agent, or a design flaw. Either way, the outcome is the same: the encrypted data is unrecoverable.

The strongest evidence of genuine autonomy came from a specific failure event. When an admin account login failed mid-operation, the agent diagnosed the cause and issued a working fix within 31 seconds. More than 600 payloads deployed during the operation carried plain-language comments in which the agent explained its own reasoning at each step, a behavior consistent with chain-of-thought output that was not scrubbed before deployment.

Why autonomy matters here

Previous documented cases of AI in cyberattacks involved AI assistance: malware code generated by a model, phishing copy polished by one, or a model answering operational questions for a human operator. JADEPUFFER removes the human from the decision loop between phases. The agent navigated credential discovery, lateral movement, and data destruction autonomously, adapting when things went wrong.

This matters for defense because the speed assumptions underlying most incident response playbooks depend on human decision latency at the attacker side. An autonomous agent does not take breaks, does not hesitate on familiar terrain, and does not leave observable patterns of human decision-making for analysts to track. The operational tempo Sysdig observed was consistent with an agent running at machine speed through a scripted but adaptive kill chain.

What defenders should do now

  • Patch CVE-2025-3248 immediately. Any internet-facing Langflow instance is directly in scope. This is not a theoretical exposure.
  • Audit Nacos deployments for the 2021 authentication bypass. If your Nacos server is internet-facing and unpatched, assume credential exposure is possible.
  • Treat LLM API keys and cloud credentials as high-value targets equivalent to domain admin credentials. JADEPUFFER demonstrates that these are now direct attack objectives.
  • Review agentic pipeline security. Any LLM agent with outbound tool access running on infrastructure that also holds credentials represents an expanded attack surface.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are building agentic systems and want to think through the security architecture.