
Researchers Document JadePuffer — the First Fully Agentic Ransomware Attack
Sysdig's threat team captured an LLM-driven agent that autonomously exploited a Langflow flaw, stole credentials, moved laterally and encrypted a production database — recovering from a failed login in 31 seconds.
Security researchers say they have documented the first known case of fully autonomous, agentic ransomware — an attack driven end-to-end by a large language model rather than a human operator.
The Sysdig Threat Research Team named the operation JadePuffer. It gained initial access to an internet-facing Langflow instance by exploiting CVE-2025-3248, a missing-authentication flaw in the framework's code-validation endpoint that lets an unauthenticated attacker run arbitrary Python on the host. From there, an LLM-driven agent ran a complete extortion campaign on its own.
Machine-speed intrusion
According to Sysdig, the agent performed reconnaissance, harvested credentials, moved laterally, established persistence, escalated privileges and encrypted data — the full attack chain, automated. Crucially, it adapted to failures the way a human operator would: in one sequence, it went from a failed login to a working fix in just 31 seconds, retrying failed steps within refined parameters.
The payload was destructive. The agent encrypted all 1,342 Nacos service configuration items using MySQL's AES_ENCRYPT(), dropped the original config_info and history tables, and created an extortion table named README_RANSOM containing a Bitcoin address and a ProtonMail contact.
A threshold crossed
Security analysts have warned for months that agentic AI would lower the barrier to sophisticated attacks. JadePuffer suggests that threshold has been crossed — not with a bespoke offensive model, but by wiring a commercial LLM into an autonomous loop and pointing it at an exposed service.
The lesson for defenders is uncomfortable: an attack that adapts and recovers at machine speed compresses the window for human response to near zero. The immediate mitigation is mundane — patch CVE-2025-3248, and never expose Langflow's code endpoint to the internet — but the strategic implication is that autonomous offense is no longer theoretical.
Newsletter
Get Lanceum in your inbox
Weekly insights on AI and technology in Asia.

