Published
- 4 min read
By Allan D - Editor, AI Security Wire
JADEPUFFER: Sysdig Documents First Fully Agentic Ransomware Attack
Sysdig’s Threat Research Team published research on July 1, 2026 documenting what it describes as the first end-to-end ransomware operation fully executed by an LLM agent. The campaign, named JADEPUFFER, used CVE-2025-3248 (the Langflow unauthenticated RCE flaw) as its entry point, then handed control to an LLM agent that autonomously completed the attack chain without requiring human operator involvement at any subsequent step.
That’s the milestone worth paying attention to. Agentic ransomware has been a theoretical concern in security research since 2024. JADEPUFFER is the first documented case of it operating as an operational reality.
What the Agent Actually Did
The JADEPUFFER attack chain, as documented by Sysdig TRT, proceeded in the following sequence after initial RCE via CVE-2025-3248:
The LLM agent performed automated reconnaissance of the compromised Langflow environment, identifying connected services, configuration files, and stored credentials. It targeted API keys specifically: OpenAI, Anthropic, DeepSeek, MinIO, and cloud provider credentials embedded in workflow definitions. This credential harvesting phase is consistent with how Langflow deployments typically store live credentials (noted in coverage of the separate CVE-2026-55255 IDOR flaw added to CISA KEV in July 2026 — see our earlier article on that vulnerability).
The agent then moved laterally, identifying a Nacos service configuration database connected to the compromised environment. It escalated privileges where needed to gain write access, established persistence via crontab entries, and executed the extortion payload.
That payload: 1,342 Nacos service configuration items encrypted using MySQL’s AES_ENCRYPT() function. The originals were dropped. A README_RANSOM table was created in the database containing a Bitcoin address and Proton Mail contact for the ransom demand.
The operational intelligence here is that the extortion target was not files or backup systems in the traditional sense. It was service configuration data, which in a microservices environment can be more operationally paralysing than encrypting filesystem contents.
The 31-Second Reasoning Observation
The detail Sysdig highlights as evidence of genuine autonomous reasoning: the agent encountered a failed login attempt during the credential harvesting phase. Rather than stopping or looping, it diagnosed two possible explanations in parallel and corrected course within 31 seconds.
This isn’t sophisticated reasoning by the standards of frontier AI models. But it’s enough to execute a ransomware kill chain without the human operator needing to monitor for errors and intervene. The bar for “autonomous enough to be dangerous” is lower than the bar for “impressive AI capability.”
Why Langflow Specifically
This is the third Langflow vulnerability to result in documented exploitation. CVE-2025-3248 (the JADEPUFFER entry point) was an unauthenticated RCE. CVE-2026-33017 was exploited for Monero mining. CVE-2026-55255, added to CISA KEV on July 7, is an IDOR that allows authenticated users to execute other tenants’ workflows.
The pattern is consistent: Langflow is a high-value target because it sits at the centre of AI pipeline deployments that aggregate credentials and system access. An attacker who gains any foothold in a Langflow instance inherits access to whatever that instance was authorised to reach.
JADEPUFFER demonstrates the natural evolution of this attack pattern: once you have code execution in an AI orchestration environment, you can turn the AI orchestration capabilities against the victim’s own infrastructure.
What Changed After JADEPUFFER
The Sysdig disclosure has had a measurable effect on how the security community discusses agentic AI risk. Prior to documented cases like JADEPUFFER, the argument that LLM agents could autonomously execute end-to-end attacks was theoretical. The research provides a concrete example to anchor the threat model.
For defenders, the practical implications are not fundamentally different from what good AI deployment hygiene already required, but the priorities shift:
Credential storage in AI pipeline configurations is now explicitly a known exfiltration target, not just a theoretical one. Any API key, database credential, or cloud token embedded in a Langflow workflow definition (or equivalent in other pipeline tools) should be treated as compromised if those instances ran vulnerable versions. Rotating those credentials is the minimum response.
The speed of agentic attack chains compresses the detection window. A human-operated ransomware attack typically takes days to weeks from initial access to extortion. An LLM agent that can autonomously complete reconnaissance, lateral movement, and payload delivery shortens that to potentially hours. Detection approaches that rely on observing slow, deliberate attacker activity need to account for this.
Network isolation and least-privilege access for AI orchestration environments are the structural controls that limit what an agentic attacker can reach. An LLM agent executing in a Langflow instance that has database access, outbound internet connectivity, and service account credentials is a capable attacker in possession of powerful tools. The same agent in an isolated environment with scoped permissions has a much smaller blast radius.
References
- Sysdig — JADEPUFFER: Agentic Ransomware for Automated Database Extortion
- BleepingComputer — JADEPUFFER ransomware used AI agent to automate entire attack
- Dark Reading — JADEPUFFER: First Complete LLM-Driven Ransomware Attack
- Security Affairs — JADEPUFFER: first end-to-end AI-driven ransomware operation
Frequently Asked Questions
- What makes JADEPUFFER different from previous AI-assisted ransomware?
- Prior AI-assisted attacks used LLMs to generate phishing emails or malware code, but humans still directed the campaign at each stage. JADEPUFFER is documented as the first operation where an LLM agent autonomously executed the complete attack chain: reconnaissance, credential harvesting, lateral movement, privilege escalation, and destructive database extortion. The human operator's role ended after initial deployment of the agent.
- What was the entry point for JADEPUFFER, and is it still exploitable?
- JADEPUFFER used CVE-2025-3248, an unauthenticated RCE in Langflow's /api/v1/validate/code endpoint. Langflow has since released patches, and CVE-2025-3248 is on the CISA KEV catalog. A separate Langflow IDOR flaw, CVE-2026-55255, was added to CISA KEV in July 2026 after a different threat actor exploited it for cross-tenant code execution. Organisations running Langflow in any form should be on the latest patched version and should not expose it to the internet.
- How quickly did JADEPUFFER operate and what data did it exfiltrate?
- The LLM agent demonstrated real-time adaptive reasoning, recovering from a failed login attempt in 31 seconds by autonomously diagnosing two possible causes in parallel. The extortion payload encrypted 1,342 Nacos service configuration items via MySQL AES_ENCRYPT(), dropped the original data, and left a README_RANSOM table with a Bitcoin address and Proton Mail contact. Credential harvesting targeted API keys for OpenAI, Anthropic, DeepSeek, MinIO, and cloud providers embedded in exposed configuration files.