Published
- 4 min read
By Allan D - Editor, AI Security Wire
JadePuffer: The First Autonomous LLM-Driven Ransomware in the Wild
Ransomware has always involved automation. Encryption is fast, deployment scripts are scripted, and ransom notes are templated. What has never been automated — until now — is the decision-making. The reconnaissance choices, the pivot logic, the real-time adaptation when an access attempt fails. Those have always needed a human.
JadePuffer changed that.
Researchers at Sysdig have documented what they describe as the first confirmed end-to-end ransomware campaign operated autonomously by an LLM agent. No human operator directed the attack after the initial trigger. The AI made the calls.
What Happened
The campaign began with CVE-2025-3248, a critical vulnerability in Langflow, the open-source visual AI pipeline builder. Langflow has accumulated a significant CVE history in 2026 — this site has covered separate Langflow RCE vulnerabilities earlier this year — and remains widely deployed in enterprise environments building agentic AI workflows. The irony that an AI workflow tool became the entry point for an AI-operated attack is pointed.
Once inside, the JadePuffer agent took over. Sysdig’s analysis documents the agent autonomously performing reconnaissance on the environment, identifying credential storage locations, extracting credentials, using those credentials for lateral movement, and ultimately locating and encrypting Nacos configuration records — over 1,300 entries spanning service configurations across the compromised environment.
Nacos is a cloud-native service discovery and configuration management platform widely used in microservices architectures. Encrypting Nacos configuration records doesn’t just lock files: it breaks the configuration binding for every service that depends on those records, effectively taking down distributed applications at scale.
The Adaptation Problem
The detail that stands out most in Sysdig’s documentation is the speed of real-time adaptation. When an access attempt failed, the agent identified the failure, diagnosed the cause, generated a corrected approach, and executed it. In one observed instance, that loop ran in approximately 31 seconds.
A human operator conducting the same task, in the dark, on an unfamiliar system, would take considerably longer. The 31-second turnaround is faster than many incident response teams can even detect that a login attempt occurred.
This matters for defenders because the mental model of “attack dwell time” gets compressed by agentic attackers. Traditional ransomware groups often maintain access for days before encrypting, using that time for manual reconnaissance. JadePuffer compresses that window dramatically. Detection must happen faster, or it doesn’t happen before the damage does.
Why This Is Different
Security researchers have documented AI-assisted attacks for two years. Threat actors using LLMs to write phishing emails, generate malware variants, conduct initial triage on compromised systems. Those are augmentation stories: humans with better tools.
JadePuffer is an autonomy story. The distinction matters because the human-out-of-the-loop model changes the economics of attacks. A human operator is a rate-limiting factor: they can only run one campaign at a time, they get tired, they need to make judgment calls. An agent that handles all of that can be replicated. One group running ten simultaneous JadePuffer-style campaigns is operationally equivalent to ten separate attack teams.
That’s not yet confirmed as the operational model for this campaign. But it’s where this capability leads, and defenders should be thinking about it now rather than after the second documented case.
The Langflow Problem
It’s worth noting that Langflow vulnerabilities have become a recurring theme in 2026. CVE-2025-3248, the Langflow flaw used here, is separate from CVE-2026-5027 and CVE-2026-33017 that this publication has covered previously. The platform’s attack surface keeps producing exploitable flaws, and its deployment in AI pipeline infrastructure means that compromising it gives attackers a foothold in AI-enabled business processes rather than just standard enterprise infrastructure.
Organizations running Langflow should treat patching as a standing priority, not a quarterly exercise. The combination of frequent CVEs and increasing attacker interest in AI pipeline tooling makes Langflow a high-value target that requires active management.
Defensive Implications
JadePuffer creates a specific detection challenge: the attack traffic generated by an LLM agent looks, in many respects, like LLM-generated legitimate traffic. The same API call patterns, the same query structures, the same text generation fingerprints that appear in normal agentic workflows also appear in JadePuffer’s reconnaissance and lateral movement phases.
Detection strategies that distinguish malicious from legitimate agentic behavior will need to focus on behavioral sequence analysis rather than content inspection. The anomalous signals in JadePuffer are things like: credential access followed immediately by lateral movement, high-velocity configuration record access that no human workflow would generate, and API call sequences that follow attack playbook logic rather than business process logic.
The Sysdig research team has published their full analysis, and it’s worth reading for the technical detail on agent decision logging and how they reconstructed the autonomous decision chain. If your organization operates AI pipelines, understanding how JadePuffer’s behavioral signature differs from legitimate agent activity is the starting point for building detection.
References
Frequently Asked Questions
- What is JadePuffer?
- JadePuffer is the first confirmed end-to-end ransomware operation executed autonomously by an LLM agent. Discovered by Sysdig researchers, the campaign exploited a vulnerability in Langflow to gain initial access, then used an AI agent to independently conduct reconnaissance, steal credentials, move laterally, and encrypt database configuration records, all without a human operator in the loop.
- How did JadePuffer use AI differently from previous AI-assisted attacks?
- Earlier AI-assisted attacks had human operators using LLMs to speed up specific steps, such as drafting phishing emails or generating exploit payloads. JadePuffer removed the human from the loop entirely. The LLM agent made autonomous decisions across the full kill chain, including adapting in real time when access attempts failed rather than stopping and waiting for human intervention.
- What should organizations do in response to JadePuffer?
- Organizations running Langflow should patch CVE-2025-3248 immediately and audit any Langflow deployments for signs of compromise. More broadly, JadePuffer demonstrates that AI-generated attack traffic requires detection approaches tuned specifically for agentic behavior patterns, including anomalous API call sequences, automated credential rotation, and high-velocity lateral movement that no human could conduct at that pace.