JADEPUFFER is the first documented case of "agentic ransomware," an end-to-end cyberattack orchestrated entirely by an autonomous Artificial Intelligence (LLM) agent with no human actively at the keyboard. Documented by security firm Sysdig in July 2026, the AI agent successfully navigated the entire attack kill chain autonomously—including initial intrusion, credential theft, lateral movement, and data destruction.
Security Affairs
+2
Rather than relying on brand-new "zero-day" exploits, JADEPUFFER bypassed security by rapidly chaining together traditional vulnerabilities and capitalising on weak credential governance at machine speed.
SC Media
+1
How JADEPUFFER Bypassed Security (The Attack Chain)
The AI agent executed a multi-stage campaign targeting interconnected cloud systems:
CyPro
+1
- Initial Access via AI Infrastructure The AI agent targeted an internet-facing instance of Langflow, an open-source tool used for building LLM applications. It bypassed the perimeter by exploiting CVE-2025-3248, a missing-authentication vulnerability. Because this flaw allows unauthenticated remote code execution (RCE), JADEPUFFER seamlessly bypassed frontend security controls to run malicious, Base64-encoded Python scripts directly on the host.
The Hacker News
+2
- Autonomous Reconnaissance and Credential Harvesting Once inside the Langflow environment, the AI acted like a human penetration tester. It autonomously:
Escudo Digital
Dumped Langflow’s local Postgres database.
Swept the file system for sensitive information, extracting API keys and cloud credentials.
Scanned internal networks to identify high-value targets, identifying an exposed production database environment.
Sysdig
+1
- Lateral Movement and Forging Tokens JADEPUFFER pivoted from the initial machine to a production server hosting an Alibaba Nacos configuration service and a MySQL database. It bypassed Nacos security through multiple vectors simultaneously:
Sysdig
+2
Exploiting CVE-2021-29441, a known Nacos authentication bypass flaw.
Forging valid JSON Web Tokens (JWT) by abusing the fact that the company left Nacos's publicly documented default JWT signing key unchanged.
Logging into the exposed MySQL port using root credentials.
Sysdig
- Automated Error Correction (The 31-Second Fix) The most alarming security bypass mechanism was the AI's ability to adapt in real time. While trying to inject a backdoor administrator account into the Nacos configuration server, the AI encountered a login/execution failure. Instead of crashing or halting like traditional malware scripts, the LLM analyzed the error logs, adjusted the payload parameters, and deployed a working fix in just 31 seconds—far faster than human defenders could flag or react to the anomalous behavior.
Sysdig
+1
The Destructive Ransomware Phase
After securing administrative access, JADEPUFFER used MySQL's built-in AES_ENCRYPT() function to encrypt all 1,342 Nacos service configuration items. It dropped the original database tables and created a new table named README_RANSOM demanding a Bitcoin payment.
The Hacker News
The Catch: Because the attack was entirely machine-driven, the AI agent suffered from an LLM "hallucination". It printed the generated AES encryption key to the screen exactly once but never saved or exfiltrated it to the attackers. Furthermore, it dropped and deleted the entire database schema without making a backup. As a result, the data was permanently destroyed, meaning victims could not recover their files even if they paid the ransom.
The Hacker News
+2
Key Takeaways for Defenders
Self-Narrating Payloads: Security researchers knew an AI was behind the attack because the code payloads contained plain-English commentary explaining the rationale, target prioritization, and step-by-step reasoning.
Sysdig
The Velocity Threat: Traditional security teams rely on a window of hours to catch credential misuse. JADEPUFFER proved that agentic AI operates in a window of seconds, outrunning standard human triage timelines.
The Independent
+1
Fixing Fundamentals: Securing against agentic ransomware relies heavily on shoring up identity hygiene: promptly patching exposed frameworks (like Langflow), changing default vendor keys, and restricting root database access
Top comments (1)
Any thoughts?