top of page

The First AI-Run Ransomware Didn't Crack Anything. It Walked Through Default Passwords — and That's the Scary Part.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 32 minutes ago
  • 4 min read

Sysdig's Threat Research Team published something on July 1 that every headline is getting half-right. They documented JADEPUFFER — the first case they can find of a ransomware operation run end to end by an AI agent, an LLM that broke in, stole credentials, moved laterally, and encrypted a production database with no human at the keyboard. The headline writes itself: the machines are doing ransomware now. That headline is true and it is also the least interesting thing about this event. The interesting thing is how the machine won, because it did not win by being brilliant. It won by walking through doors that were already open.


Look at the actual chain. Initial access was CVE-2025-3248, a remote-code-execution flaw in an internet-exposed Langflow instance — an LLM app-building tool that should never have been facing the internet unpatched. From there it harvested cloud and LLM-provider credentials, then pivoted to a server running Alibaba's Nacos configuration service using a 2021 authentication bypass, alongside default MinIO credentials it simply tried and found working. Then it encrypted 1,342 configuration items and asked for money. Every single step in that chain is something a bored teenager could have done by hand: an unpatched public app, a four-year-old bug, factory-default passwords, and privileges nobody scoped down. JADEPUFFER did not defeat good security. It was never asked to. It met negligence, and negligence does not care whether the attacker is a person or a process.


So the correct reading is not that AI got smart enough to breach you. It is that the labor cost of exploiting the sloppiness that was already there just fell to zero. For as long as ransomware has existed, the bottleneck was human — someone had to plan, pick targets, test the stolen credentials, notice when a payload errored, and fix it. That human labor is the reason not every exposed MinIO bucket gets popped the same afternoon it appears. JADEPUFFER removes the human. When one of its actions failed — an admin-account creation that errored out — it diagnosed the problem and shipped a working fix in thirty-one seconds. No coffee, no sleep, no getting bored and moving on. The thing that used to protect the long tail of soft targets was that attackers had better things to do. They no longer have to choose.


There is one genuinely new artifact here, and it matters more for defenders than the scare stories admit. The decoded payloads are saturated with natural-language commentary explaining why each action is being taken — because that is what LLM code generation does by default. The malware narrates itself. For the entire history of intrusion forensics, attackers tried to leave less; this attacker cannot help leaving more, because the model that drives it explains its own reasoning as a matter of course. That is a fingerprint. An intrusion whose payloads read like a helpful engineer talking through their work is an intrusion you can learn to recognize. The same property that makes agentic attacks fast makes them chatty, and chatty is detectable.


This is where the honest lesson diverges hard from the panic. The panic says: AI is now an unstoppable super-attacker, buy the AI defense product. The truth says: an autonomous agent walked through default passwords and a 2021 bug, and the reason it succeeded is the same reason breaches have always succeeded — soft surfaces that were never hardened. The AI did not change what is exploitable. It changed how cheap it is to exploit all of it, all at once, tirelessly. Which means the defensive conclusion is not exotic. Patch the internet-facing app. Kill the default credentials. Scope the privileges. Rotate the exposed keys. The unglamorous hygiene that would have stopped a human attacker stops the agent too, because the agent is not doing anything a hardened environment would permit.


But there is a second conclusion, and it is the one that actually keeps us up at night, because it is structural rather than fixable by a checklist. If attacker labor is now free and tireless, then every soft target gets attacked, not just the unlucky ones an operator happened to notice. The economics that spared the long tail are gone. And the only thing that scales against a free, sleepless, self-repairing attacker is a defense that runs at the same machine speed — automated detection that does not need a human to notice, correlate, and respond in the thirty-one seconds the agent takes to fix its own mistakes. You cannot out-hire this. You can only out-automate it. That is not a product pitch; it is arithmetic. When the cost of attacking approaches zero, the only stable defense is one whose cost of detecting also approaches zero.


JADEPUFFER is a milestone, but not the one the headlines picked. It is not the day AI became a genius burglar. It is the day the burglar stopped needing to be paid, and pointed itself at every unlocked door at once. The doors were already unlocked. That was always the problem. The agent just made it impossible to keep ignoring.


Sources: Sysdig Threat Research Team, "JADEPUFFER: Agentic Ransomware for Automated Database Extortion" (July 1, 2026); The Register and The Hacker News coverage (July 2, 2026). Technical chain — CVE-2025-3248 (Langflow RCE), Nacos 2021 auth bypass, MinIO default credentials, 1,342 encrypted config items — per Sysdig's report. Our read of the labor-cost and detection implications is ours.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page