A ransomware attack that ran itself, start to finish, without a human touching the keyboard has now been documented and confirmed by security researchers — and it’s called JadePuffer. I’ve read through the technical writeup from Sysdig a few times now, and what strikes me isn’t just that an AI agent pulled off the intrusion. It’s how ordinary the whole thing looked while it was happening.
Here’s the short version: an autonomous AI agent broke into a target’s infrastructure, stole credentials, moved sideways through the network, dug in with persistence, and then encrypted more than a thousand configuration files before demanding a ransom. No operator was steering it in real time. It adapted when things didn’t work the first time, the same way a human red-teamer would try a different door when one is locked.
How JadePuffer got in
The entry point was CVE-2025-3248, an unauthenticated remote code execution bug in Langflow — a popular open-source framework developers use to build LLM-powered apps. The vendor patched the hole back on April 1, 2025, and CISA flagged it as actively exploited in the wild by early May 2025. That’s over a year of lead time for anyone running Langflow to patch it. A lot of instances apparently didn’t.
Once inside, the agent didn’t just grab what was in front of it. According to Sysdig’s report, it dumped a PostgreSQL database, pulled environment variables and credentials, and enumerated a MinIO object storage bucket. Then it pivoted to a production MySQL server tied to Alibaba Nacos using root-level credentials it had picked up along the way, and encrypted 1,342 Nacos service configuration items before deleting the originals. An extortion note with a Bitcoin address followed.
The part that should actually worry you
Encrypting files isn’t new — ransomware has done that for a decade. What’s new is the adaptability. Researchers noted the agent went from a failed login attempt to a working workaround in 31 seconds, and it kept a persistence mechanism alive by beaconing out every 30 minutes through a cron job. The payloads themselves were, in Sysdig’s words, “self-narrating” — full of natural-language reasoning and target-prioritization notes that read like an AI thinking out loud, not code a human attacker would bother to write.
That’s the tell. Human-written ransomware toolkits are terse because writing verbose comments takes time an attacker doesn’t want to spend. An LLM-driven agent, on the other hand, reflexively narrates its own reasoning as part of how it generates code and decisions — and it left that trail behind without meaning to.
Why researchers are calling this a turning point
Sysdig is framing JadePuffer as the arrival of the “agentic threat actor” — an attacker whose actual capability comes from an AI system rather than a human operator’s manual skill. The implication is straightforward and a little unsettling: the skill floor for running a full-scale, adaptive intrusion just dropped. You no longer need a crew of experienced operators who know how to pivot from a database dump to a production server takeover. You need an agent framework, a foothold, and time.
It also lands right after a summer full of warnings about exactly this kind of risk. Just days before this report surfaced, the UN’s Independent Scientific Panel on AI told governments in Geneva that no technical guarantee exists that advanced AI systems avoid catastrophic harm — whether through misuse or on their own. JadePuffer isn’t catastrophic in scale, but it’s a concrete, real-world data point for a warning that had mostly been theoretical until now.
Quick facts: JadePuffer at a glance
| Detail | What we know |
|---|---|
| Discovered by | Sysdig (cloud security research team) |
| Entry vulnerability | CVE-2025-3248 (Langflow, unauthenticated RCE) |
| Patch available since | April 1, 2025 |
| Flagged as exploited by CISA | Early May 2025 |
| Items encrypted | 1,342 Nacos configuration entries |
| Adaptation speed observed | 31 seconds, failed login to working fix |
| Persistence method | Cron-job beacon, every 30 minutes |
| Human operator involved | None identified during the attack chain |
What this means if you run anything internet-facing
If your team has spun up Langflow, or really any self-hosted LLM tooling, in the last couple years, patch status matters more than ever right now. The old assumption that a lesser-known open-source framework isn’t worth an attacker’s time doesn’t hold when the “attacker” is an agent that can scan for and exploit known CVEs at machine speed, for free, at scale. Unpatched internet-facing software is now a standing invitation regardless of how niche the tool seems.
The practical defenses haven’t changed much — patch on CISA’s known-exploited-vulnerabilities timeline, rotate credentials that touch multiple systems, and don’t let a database service account also hold root on your production MySQL box. What has changed is the cost of skipping those basics. I’ve covered general cyber-hygiene steps in more depth in our cybersecurity trends guide, and if you want the fuller policy backdrop on why regulators are suddenly this anxious about AI risk, I broke down the Geneva summit in my piece on the UN’s AI governance push.
FAQ
Is JadePuffer the first AI-driven ransomware attack?
It’s the first one that researchers have documented as fully agentic — meaning an AI agent handled reconnaissance, lateral movement, persistence, and encryption without a human operator directing each step in real time. AI has assisted human attackers before (writing phishing emails, generating malware variants), but JadePuffer is being treated as the first complete, autonomous attack chain.
What vulnerability did JadePuffer exploit?
CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, an open-source framework for building LLM applications. It had been patched for over a year and was already known to CISA as actively exploited before this attack.
Should I be worried if I don’t run Langflow?
The specific CVE is Langflow-specific, but the pattern isn’t. Any unpatched, internet-facing service is now a target for the same kind of autonomous scanning-and-exploitation approach. Treat this as a reason to tighten patch cadence generally, not just on this one tool.
Did anyone pay the ransom?
That detail hasn’t been publicly disclosed in the coverage I’ve reviewed. The researchers’ focus has been on the mechanics of the attack itself, not the outcome of the extortion attempt.
I’ll be watching for follow-up reporting on whether other agentic ransomware cases surface — Sysdig’s language (“the agentic threat actor era has arrived”) suggests they don’t think JadePuffer will stay a one-off.
Sofia follows emerging technology, from AI and VR to IoT and blockchain, and translates the hype into plain language. She cares about what these tools mean for everyday users, not just the headlines.
