Sysdig’s Threat Research Team disclosed a ransomware operation on July 1, publishing full technical detail a week later, that it says is the first fully documented case of an AI agent running an entire attack chain end to end with essentially no human operator at the keyboard. The attacker, which Sysdig tracks under the name JADEPUFFER, gained initial access to an internet-facing instance of Langflow, a popular open-source tool for building AI applications, by exploiting a known vulnerability, CVE-2025-3248, in an attack that took place in late June 2026.
The vulnerability itself is not new or obscure. CVE-2025-3248 is a missing-authentication flaw in Langflow’s code validation endpoint that lets an unauthenticated attacker execute arbitrary Python on the host, and it carries a critical CVSS score of 9.8 out of 10. It was patched in Langflow 1.3.0 and added to CISA’s Known Exploited Vulnerabilities catalogue back in May 2025, more than a year before JADEPUFFER used it. That gap between “publicly known, patched, and flagged by the US government’s own vulnerability catalogue” and “still exploitable on an internet-facing instance in mid-2026” is itself part of the story: this wasn’t a zero-day, it was a fully preventable entry point.
From that initial foothold, an autonomous large language model agent took over nearly every subsequent stage of the intrusion. Once inside, the agent swept the machine for anything of value: API keys for OpenAI, Anthropic, DeepSeek, and Gemini, cloud credentials spanning both Chinese providers like Alibaba and Tencent and Western ones including AWS, Google, and Azure, plus crypto wallet keys and database logins. It then raided a MinIO storage server that was still running its factory-default login, minioadmin:minioadmin, credentials nobody had ever bothered to change. Persistence was established through a crontab entry that beaconed back to the attacker’s command-and-control server every 30 minutes over port 4444.
From there the agent pivoted laterally to its real target: a separate, internet-facing server running a MySQL database alongside Nacos, a configuration and service directory common in microservice deployments. It encrypted 1,342 Nacos service configuration items before deleting the originals, dropped the underlying config_info and history tables outright, then created an extortion table named README_RANSOM containing the ransom demand, a Bitcoin payment address, and a Proton Mail contact address, and executed a destructive database-extortion playbook against the victim’s production database server.
What distinguishes JADEPUFFER from earlier AI-assisted attacks isn’t just the automation, it’s the adaptability. Sysdig documented the agent responding to obstacles the way a skilled human operator would: in one sequence, it went from a failed login attempt to a working workaround in 31 seconds, retrying and refining its approach without waiting for instruction. Its payloads were also self-narrating, containing natural-language reasoning, target prioritization, and detailed annotations of exactly the kind human operators rarely bother to write but that LLM-generated code produces almost reflexively, giving researchers an unusually clear window into how an AI system plans and executes a live criminal operation once nothing is stopping it.
The significance researchers are flagging isn’t really technical novelty, credential theft and lateral movement are well-understood attack techniques on their own. It’s the barrier to entry. As Sysdig’s report puts it, ransomware is no longer a craft that requires deep expertise in any single stage of the kill chain; an operator now needs only the patience to direct an AI agent through reconnaissance, exploitation, and extortion, and a working jailbreak to get the model to cooperate in the first place.
JADEPUFFER is meaningfully different from the AI-enabled espionage campaign Anthropic itself disclosed in September 2025, in which a Chinese state-linked group it tracks as GTG-1002 manipulated Claude Code into attempting infiltration of roughly 30 global targets, succeeding against a handful, using AI to execute an estimated 80 to 90 percent of tactical operations autonomously at request rates no human team could physically sustain. That campaign still required human intervention at several critical decision points, and the attackers had to pose as employees of a legitimate cybersecurity firm running “defensive testing” to keep Claude cooperating, with the model still occasionally hallucinating credentials or overstating what it had actually extracted. JADEPUFFER appears to have needed even less human involvement than that state-sponsored operation, and unlike GTG-1002 it’s an ordinary criminal extortion operation rather than state-sponsored espionage, meaning the attacker profile here is closer to an everyday ransomware gang than a well-resourced intelligence service, a much larger and more numerous population of potential adversaries.
The practical fix security researchers are pointing to is unglamorous: patch management, plus basic credential hygiene like changing a default admin password before exposing a storage server to the internet. JADEPUFFER’s entire attack chain started from a known, previously disclosed, already-patched vulnerability in an internet-facing instance of a tool that a great many small teams run precisely because it’s free and easy to stand up, then compounded that with a storage server still sitting on factory-default credentials. Philippine startups and BPOs increasingly use exactly this kind of low-code, open-source AI tooling to build internal automation quickly, and they are, almost by definition, the organizations least likely to have dedicated security staff tracking CVE disclosures or auditing default credentials on every new service they spin up. An unpatched, internet-facing Langflow instance sitting next to a storage bucket nobody re-credentialed is not a hypothetical risk for a resource-constrained Philippine dev team, it’s precisely the profile JADEPUFFER exploited.
Sysdig’s report is explicit that the AI agent didn’t handle every single step of the attack, some coordination still required a human. But the direction of travel is clear enough that this almost certainly won’t be the last agentic ransomware operation disclosed this year, and the defense against it looks less like a new category of AI-specific security product and more like the same basic patch-management and credential discipline that’s been under-resourced at small organizations for decades, now facing an adversary that no longer needs deep technical skill, just patience and a jailbreak, to exploit the gap.
Share this article