Apple in Talks to Buy Memory Chips From China's CXMT and YMTC as AI Squeezes SupplyCambricon Hits $147 Billion, Targets 500,000 AI Chips as China Races to Replace NvidiaByteDance's Doubao and Alibaba's Qwen to Shut Down AI Agent Features on July 15140 Trillion Tokens a Day: Inside China's Bid to Redefine AI LeadershipChina's Memory Makers Come for Samsung and SK Hynix — With Capital, Talent and State BackingGLM-5.2 and the 'Mini DeepSeek Moment': How Close Is China, Really?Baseten Raises $1.5 Billion Series F at $13 Billion Valuation as Inference Demand ExplodesDeepSeek Raises $7.4 Billion at $50 Billion Valuation in First-Ever External RoundApple in Talks to Buy Memory Chips From China's CXMT and YMTC as AI Squeezes SupplyCambricon Hits $147 Billion, Targets 500,000 AI Chips as China Races to Replace NvidiaByteDance's Doubao and Alibaba's Qwen to Shut Down AI Agent Features on July 15140 Trillion Tokens a Day: Inside China's Bid to Redefine AI LeadershipChina's Memory Makers Come for Samsung and SK Hynix — With Capital, Talent and State BackingGLM-5.2 and the 'Mini DeepSeek Moment': How Close Is China, Really?Baseten Raises $1.5 Billion Series F at $13 Billion Valuation as Inference Demand ExplodesDeepSeek Raises $7.4 Billion at $50 Billion Valuation in First-Ever External RoundApple in Talks to Buy Memory Chips From China's CXMT and YMTC as AI Squeezes SupplyCambricon Hits $147 Billion, Targets 500,000 AI Chips as China Races to Replace NvidiaByteDance's Doubao and Alibaba's Qwen to Shut Down AI Agent Features on July 15140 Trillion Tokens a Day: Inside China's Bid to Redefine AI LeadershipChina's Memory Makers Come for Samsung and SK Hynix — With Capital, Talent and State BackingGLM-5.2 and the 'Mini DeepSeek Moment': How Close Is China, Really?Baseten Raises $1.5 Billion Series F at $13 Billion Valuation as Inference Demand ExplodesDeepSeek Raises $7.4 Billion at $50 Billion Valuation in First-Ever External Round
A pufferfish, the namesake of the JadePuffer ransomware operation
Sysdig / BleepingComputer
News

Researchers Document JadePuffer — the First Fully Agentic Ransomware Attack

Sysdig's threat team captured an LLM-driven agent that autonomously exploited a Langflow flaw, stole credentials, moved laterally and encrypted a production database — recovering from a failed login in 31 seconds.

R
Rina ChandraTech Reporter
4 min read

Security researchers say they have documented the first known case of fully autonomous, agentic ransomware — an attack driven end-to-end by a large language model rather than a human operator.

The Sysdig Threat Research Team named the operation JadePuffer. It gained initial access to an internet-facing Langflow instance by exploiting CVE-2025-3248, a missing-authentication flaw in the framework's code-validation endpoint that lets an unauthenticated attacker run arbitrary Python on the host. From there, an LLM-driven agent ran a complete extortion campaign on its own.

Machine-speed intrusion

According to Sysdig, the agent performed reconnaissance, harvested credentials, moved laterally, established persistence, escalated privileges and encrypted data — the full attack chain, automated. Crucially, it adapted to failures the way a human operator would: in one sequence, it went from a failed login to a working fix in just 31 seconds, retrying failed steps within refined parameters.

The payload was destructive. The agent encrypted all 1,342 Nacos service configuration items using MySQL's AES_ENCRYPT(), dropped the original config_info and history tables, and created an extortion table named README_RANSOM containing a Bitcoin address and a ProtonMail contact.

A threshold crossed

Security analysts have warned for months that agentic AI would lower the barrier to sophisticated attacks. JadePuffer suggests that threshold has been crossed — not with a bespoke offensive model, but by wiring a commercial LLM into an autonomous loop and pointing it at an exposed service.

The lesson for defenders is uncomfortable: an attack that adapts and recovers at machine speed compresses the window for human response to near zero. The immediate mitigation is mundane — patch CVE-2025-3248, and never expose Langflow's code endpoint to the internet — but the strategic implication is that autonomous offense is no longer theoretical.

Newsletter

Get Lanceum in your inbox

Weekly insights on AI and technology in Asia.

Share

More in News

Lanceum

Independent coverage of AI and technology across Asia. We go beyond headlines to explain what matters.

Colophon

Typeset in Space Grotesk & DM Serif Display. Built with Nuxt & Tailwind. Powered by curiosity.

© 2026 Lanceum. All rights reserved.

Independent • Rigorous • Asia-Focused