JADEPUFFER The First AI Ransomware Attack That Needed No Human at All

On July 4–6, 2026, cloud security firm Sysdig published research on what it calls the first fully documented case of agentic ransomware — an attack in which every stage, from breaking in to wiping a production database, was carried out by an AI agent with no human at the keyboard. The operator has been named JADEPUFFER, and its story is less about a clever new hack than about how far you can push old, patchable bugs when an LLM does the work of an entire criminal crew.

What Actually Happened

JADEPUFFER's entry point was an internet-exposed installation of Langflow, a popular open-source framework developers use to build AI apps and agent workflows. The agent exploited CVE-2025-3248, a missing-authentication flaw that lets anyone who can reach the server run arbitrary Python code, no login required. The bug had been patched back in April 2025 and flagged by CISA as actively exploited weeks later — yet unpatched, unhardened Langflow instances are still common because they're often spun up quickly by developers without network restrictions and left holding cloud credentials and API keys.

From that single foothold, the AI agent worked through a complete intrusion chain on its own: reconnaissance, credential theft, lateral movement, privilege escalation, persistence, and finally, destruction.

Inside the Attack Chain

Once JADEPUFFER had code execution on the Langflow host, it moved fast. It pulled host and network information, searched environment variables and config files for anything sensitive, and dumped Langflow's own Postgres database. It swept up API keys for major AI providers, cloud credentials for both Western and Chinese platforms, cryptocurrency wallet data, and database logins. It even found and raided a MinIO object storage server that had simply never had its default admin password changed.

To keep its access alive, the agent quietly planted a scheduled task on the Langflow server that phoned home to attacker infrastructure every 30 minutes. Then it pivoted away from the initial foothold entirely and went after its real target: a separate production server running MySQL alongside Alibaba's Nacos configuration service, reached using root-level credentials whose origin researchers still can't explain.

The 31-Second Fix

The detail that convinced researchers this was genuinely autonomous, not a scripted tool, came from a single failure. The agent tried to create a rogue administrator account on the Nacos server and the attempt failed. Instead of stalling, it diagnosed the problem, rewrote its approach, and returned with a working payload just 31 seconds later — the kind of on-the-fly troubleshooting normally associated with an experienced human operator sitting at a keyboard.

Sysdig also noted that the malicious code itself was unusually chatty: the payloads contained natural-language comments explaining what the agent was doing and why, a habit LLM-generated code tends to fall into that a human attacker rarely bothers with.

The Damage

In its final stage, JADEPUFFER encrypted all 1,342 configuration records stored in the Nacos service using MySQL's built-in encryption function, deleted the original tables, and dropped a ransom note directly into the database naming a Bitcoin address and a Proton Mail contact. Researchers found the encryption key was generated randomly and never saved or transmitted anywhere — meaning even a victim who paid would have had no way to recover the data. Whether that was a mistake or simply irrelevant to an agent whose objective was disruption rather than payment remains unclear.

Why This Is a Turning Point

None of the individual techniques JADEPUFFER used were new. Exploiting a known CVE, harvesting credentials, abusing default logins, and encrypting a database are all standard ransomware moves. What changes the calculus is that no skilled human had to chain them together. An AI agent handled reconnaissance, adapted around failures, and executed judgment calls about which systems mattered — cutting the expertise required to run a ransomware campaign down to whatever it costs to rent an AI agent.

Security researchers who reviewed the disclosure describe it as an evolution rather than a revolution: the techniques are familiar, but the removal of the human bottleneck means future campaigns could move faster, scale wider, and hit far more neglected, unpatched systems than a human crew ever could.

How to Protect Your Systems

  • Patch Langflow immediately and never expose its code-execution endpoints directly to the internet.
  • Rotate default credentials everywhere — the MinIO breach in this attack succeeded purely because a factory password was never changed.
  • Keep secrets out of AI tool environments. API keys and cloud credentials should live in a proper secrets manager, not sitting in plaintext near an AI workflow server.
  • Harden Nacos and similar services by changing default signing keys, keeping them off the public internet, and never connecting them to a database as root.
  • Restrict outbound traffic so a compromised server can't beacon back to attacker infrastructure.

The Bigger Picture

JADEPUFFER lands in the same stretch of 2026 that has already seen Anthropic disclose a largely autonomous, state-linked cyberespionage campaign built on its own Claude Code tool. Taken together, these incidents point to the same trend from two different directions: AI agents are getting good enough to run entire offensive operations, and the security industry is only just beginning to build detection methods that don't assume a human is driving.

The takeaway isn't that AI made ransomware more sophisticated — it's that AI made ransomware require no sophistication at all.

Comments

Popular posts from this blog

China Just Teleported Information Across 1,400 KM — And It Changes Everything

​How OpenAI Built a Custom Inference ASIC in Just 9 Months to Slash ChatGPT Costs

Google Veo 3: How to Create Stunning AI Videos for Free