JADEPUFFER Is the First Ransomware an AI Ran By Itself. It Broke In Through the AI-Agent Builder We've Been Warning About Since March — and It Narrated the Whole Attack in Its Own Payload.
- Patrick Duggan
- 36 minutes ago
- 6 min read
For two years the phrase "AI-powered attack" has mostly meant a human criminal using a chatbot to write a better phishing email. That is not this. Security researchers at Sysdig have documented JADEPUFFER, and the reason it matters is not that AI helped — it is that no human was in the loop for the attack itself. A human set up the infrastructure and pointed the thing at a target. From there, an autonomous AI agent did the entire job: found the way in, exploited it, looked around, stole the credentials, pivoted to the crown-jewel database, encrypted it, dropped the ransom note, and demanded Bitcoin. Researchers are calling it the first end-to-end, LLM-driven ransomware operation, and the term they have coined for the operator is an "agentic threat actor" — a criminal whose capability is delivered by an AI agent rather than a human toolkit. We went looking for exactly this in November. It showed up in July, and it broke in through the AI-agent builder we have been writing warnings about since March.
The break-in was poetic, and we called the door
JADEPUFFER's entry point was CVE-2025-3248, an unauthenticated remote-code-execution flaw in Langflow — the open-source, drag-and-drop builder that people use to wire up AI agents and LLM workflows. Sit with that for a second. The first ransomware operation run entirely by an AI agent got its foothold by exploiting the tool people use to build AI agents. The attack surface for AI is AI.
We have owned this specific door for months. In March we published "The AI Agent Builder Got Owned in 20 Hours" when the first Langflow RCE hit, and again on July 12, when Langflow landed on CISA's Known Exploited Vulnerabilities list for the fourth time, we wrote that the number mattered more than any single flaw — that a product sitting at the seam between the public internet and companies' AI pipelines was going to keep being a way in. CVE-2025-3248 was patched back on April 1, 2025, and CISA flagged it as exploited in early May 2025. It is over a year old. JADEPUFFER did not need a zero-day. It needed an internet-exposed Langflow instance that nobody had updated — and there are always plenty of those, because "the AI thing the data team stood up" is exactly the kind of asset that never makes it onto a patch schedule.
What the agent actually did — with nobody watching
Once it had code execution on the Langflow box, the agent worked the way a competent human operator would, except faster and without pause. It dumped Langflow's PostgreSQL database, fingerprinted the host, hunted through environment variables and files for secrets, harvested credentials, and enumerated a MinIO object store. Then it used what it found to pivot — out of the AI toolbox and into a production MySQL server running Alibaba's Nacos configuration service, logging in with root credentials it had recovered along the way. That pivot is the whole ballgame: Nacos holds the service configuration for everything downstream of it, so owning it is owning the environment.
The endgame was a database-native extortion, not a file-encrypting binary. The agent encrypted all 1,342 Nacos service-configuration items in place using MySQL's own AES_ENCRYPT() function, dropped the original configuration and history tables, and created a fresh table containing the ransom demand, a Bitcoin address, and a Proton Mail contact. No custom ransomware executable ever touched disk. The "ransomware" was a sequence of decisions and SQL statements, generated on the fly, adapting to what the agent found. There was nothing for a signature to match, because there was no payload in the traditional sense — there was a reasoning process.
The tell: it narrated its own crime
Here is the part that should change how defenders think, and it is the most useful thing in the whole disclosure. Sysdig reports that JADEPUFFER's payloads were self-narrating. The code the agent generated carried natural-language reasoning, target prioritization, and running annotations — the reflexive commentary that LLM-generated code produces because the model was trained to explain itself while it works. A human attacker writes terse, stripped shellcode and strips the comments to stay quiet. An AI agent, left to its own defaults, documents the burglary as it commits it, in prose, inside the payload.
That is a gift, and defenders should take it. The agentic threat actor lowers the skill floor for attackers — that is the scary headline, and it is true. But the same autonomy that makes it dangerous makes it legible in a way a careful human never is. A process that dumps a database and then leaves a natural-language explanation of why it chose that table next is not behaving like malware; it is behaving like a machine reasoning out loud, and that reasoning is a detection surface that did not exist a year ago. The defensive question is no longer only "does this binary match a known-bad hash." It is "why is there English prose in the middle of this database operation, and who is it talking to." Behavioral detection — watching what runs, not what it is called — was already the right posture. Against an adversary that narrates itself, it is the winning one.
We have been saying the agent cuts both ways, and we meant it about us too
We are not going to pretend to be surprised by this, and we are not going to be precious about the fact that we build with agents ourselves. Our entire operation is an AI-human partnership — the same connective, autonomous capability that JADEPUFFER weaponized is the thing we use to run detection, correlate indicators, and publish faster than a human team could. We have written since November 2025, in "Looking For AI Adversaries," that this was the direction, and we have written repeatedly that agentic AI is dual-use down to the core: a capability that lets a small defender punch far above its weight is, by definition, a capability that lets a small attacker do the same. JADEPUFFER is that thesis with a Bitcoin address attached. The tooling that lets one person plus an agent do the work of a team does not check whose side you are on. That is not a reason to fear the technology; it is a reason to instrument for it, because the other guy already has it.
What to actually do
If you run Langflow, or any internet-exposed AI-agent builder, treat it as production infrastructure holding live credentials, because it is — patch it on the same clock as your public web servers, not the "we'll get to the AI experiment" clock, and get CVE-2025-3248 and its three KEV-listed siblings off your perimeter today. Assume the crown-jewel pivot: an AI toolbox that can reach your configuration store, your object storage, and your production databases is one compromise away from all of them, so segment it. And re-weight your detection toward behavior over signatures, because an agentic attacker generates novel code every run and will never match a hash — but it will dump a database, pivot on recovered root credentials, and, if you are watching closely, narrate the whole thing in a language your analysts can read.
The honest note
We did not find JADEPUFFER — this is Sysdig's research, and we credit it fully; they did the forensics, named the actor class, and pulled the self-narrating-payload detail that makes the story matter, and it was reported through BleepingComputer, The Hacker News, Dark Reading, and SecurityWeek. There are no fresh IOCs here for us to feed — the value is the placement and the defensive read. What we bring is that we called the door this walked through, months before it did, four times over on Langflow; that we started hunting for AI adversaries as a category in November; and that the single most actionable thing in the disclosure — the agent documents its own reasoning — points straight at behavioral detection, which is the posture we have argued for all along. We hold this at 95 percent. The five percent is that "first fully agentic ransomware" is a claim about what has been detected and disclosed, not a claim that it is truly the first — the nature of an adversary that leaves no signature is that the earlier ones may simply not have been caught yet. The durable part is the category: agentic threat actors are real now, they break in through the AI surface, and they cannot help but talk while they work.
Sources: Sysdig research on JADEPUFFER agentic ransomware (July 2026), via BleepingComputer, The Hacker News, Dark Reading, and SecurityWeek; CVE-2025-3248 (Langflow unauthenticated RCE, CISA KEV May 2025); DugganUSA prior coverage — "The AI Agent Builder Got Owned in 20 Hours" (2026-03-21), "Langflow Just Hit the KEV List for the Fourth Time" (2026-07-12), and "Looking For AI Adversaries" (November 2025) — queried directly.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
