It Started With a Forgotten Server
Somewhere in the sprawling sprawl of the internet, a server running Langflow — an open-source visual framework for building LLM-powered apps — sat exposed. No authentication. No firewall. Just waiting. What happened next was not a script kiddie running a canned exploit. It was something far more unsettling: an AI agent that walked itself through the entire kill chain, from initial breach to data exfiltration to ransom demand. No human pulled the trigger.
On July 1, 2026, Sysdig's Threat Research Team published the technical postmortem of JADEPUFFER — the first documented case of fully agentic ransomware in the wild. And the details are the kind that keep security engineers staring at their monitors a little longer before logging off.
An LLM That Doesn't Just Talk — It Acts
The attacker's entry point was CVE-2025-3248, a remote code execution vulnerability in Langflow. Where a human attacker would typically probe, enumerate, and manually escalate, JADEPUFFER deployed an LLM-driven agent to do all of it autonomously. The agent scanned the exposed environment, discovered a Nacos configuration center vulnerable to CVE-2021-29441 (a default JWT key bypass), and helped itself to cloud credentials stored in plaintext.
From there, it moved laterally to MinIO storage buckets, enumerated databases, and eventually landed on a MySQL instance containing sensitive data. The agent then encrypted the databases using AES, changed the administrator password, and left a ransom note demanding payment in Bitcoin.
The entire sequence — reconnaissance, lateral movement, credential harvesting, encryption, extortion — ran without any command-and-control server issuing step-by-step instructions. The LLM agent planned and executed the operation from start to finish.
What Makes This a Watershed Moment
Security researchers have warned about AI-powered malware for years. But there is a difference between a script that calls an API and an autonomous agent capable of adapting its strategy mid-operation. JADEPUFFER represents the latter. It did not rely on a fixed playbook. It assessed the environment, made decisions, and pivoted when it hit obstacles — behaviors that traditionally required a human operator.
- Autonomous reconnaissance: The agent scanned the network and identified high-value targets without predefined targets.
- Credential harvesting at scale: It extracted cloud provider keys, database passwords, and configuration secrets from Nacos and MinIO.
- Full encryption and extortion: AES-encrypted databases, changed admin credentials, and a Bitcoin ransom note — fully automated.
The implications are sobering. If an off-the-shelf Langflow instance and a default Nacos deployment can be chained into a fully autonomous ransomware pipeline, the attack surface for every organization running exposed AI infrastructure just expanded dramatically. JADEPUFFER did not require nation-state resources or a team of skilled operators. It required an exposed endpoint and a capable LLM.
What Can You Do About It?
The attack vectors JADEPUFFER exploited are not exotic zero-days. They are known vulnerabilities with patches available. The breach happened because systems were exposed to the internet without authentication — a configuration sin the industry has been committing for years, now with higher stakes.
Organizations should audit every internet-facing service for default credentials, especially Nacos, MinIO, and Langflow deployments. Network segmentation matters more than ever — if an agent lands on one box, it should not be able to browse laterally to databases. And runtime detection tooling that monitors for unusual process execution and data access patterns — the kind Sysdig itself builds — is no longer nice-to-have. It is the difference between catching an agentic intruder mid-stride and reading about yourself in someone else's blog post.
JADEPUFFER is a proof of concept that escaped the lab. It will not be the last. The era of agentic cyberattacks has begun — and it arrived quietly, through a forgotten server with no password.
Comments