For two years the industry has argued about when — not whether — an AI agent would run a cyberattack by itself. The Sysdig Threat Research Team now says that moment has a name: JADEPUFFER, an operation it describes as the first documented case of agentic ransomware, in which a large language model, not a human at a keyboard, carried out the intrusion from initial access through data destruction and extortion. It broke in, harvested credentials, pivoted across two servers, encrypted a production database, dropped a ransom note, and installed persistence — narrating its own reasoning in the payloads the entire way.

It is a genuine milestone. It is also, on close reading, considerably more limited than the headline implies. Both things are true, and the gap between them is the actual story.

What Sysdig Saw

Sysdig captured and decoded the attack from Base64-encoded Python payloads delivered through a compromised Langflow server — the popular open-source framework for building LLM applications. The initial foothold came from CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow’s code-validation endpoint. That entry point is telling: Langflow servers are AI-adjacent, frequently hold provider API keys and cloud credentials in their environment, and are often stood up quickly by developers without network controls. They are, in other words, a soft target that happens to sit next to the crown jewels.

From that foothold, the agent worked through a full kill chain:

  • Reconnaissance and credential harvesting — enumerated the host and swept for API keys, cloud credentials, database passwords, and crypto wallets.
  • Lateral discovery — scanned the internal address space and probed for reachable databases and services.
  • Pivot — found a MinIO object store still running default credentials (minioadmin:minioadmin), pulled a credentials.json, and used the harvested secrets to reach a separate production server running MySQL and Alibaba Nacos (Naming and Configuration Service).
  • Takeover — exploited a Nacos auth-bypass (CVE-2021-29441), forged JWT tokens using the default signing key, and injected a backdoor admin account.
  • Extortion — encrypted 1,342 Nacos configuration items using MySQL’s AES_ENCRYPT() function, dropped the original tables, and created a README_RANSOM table demanding Bitcoin.
  • Persistence — installed a crontab beacon phoning a command-and-control server every 30 minutes.

The 31 Seconds That Made the Case

What convinced Sysdig this was an agent rather than a human running a script was the tempo and texture of the self-correction. In one sequence, the operation went from a failed Nacos login to a working, multi-step corrective fix in 31 seconds. Sysdig’s researchers put it bluntly: “A human operator reading an error message, identifying the root cause as a subprocess PATH issue, drafting a corrective script, and submitting it takes much longer than 31 seconds.”

There was more. When a MinIO bucket-listing call returned XML instead of the expected JSON, the very next payload adapted with an XML parser — no pause, no human debugging session. Across the operation the agent fired more than 600 distinct encoded Python commands, and the complete backdoor-admin sequence against Nacos executed in 54 seconds, from 19:34:24 to 19:35:18.

The payloads even annotated themselves in natural language. One comment read: "High-ROI databases to drop (data already backed up to [staging server])" — the model explaining its own targeting logic, mid-attack, as if reasoning aloud. That self-narration is the fingerprint of an LLM in the loop, and it is what let Sysdig reconstruct the agent’s decision-making across sessions recorded weeks apart.

The Part the Headlines Skip

Here is the caveat that matters, and that TechCrunch and others were right to foreground: JADEPUFFER was not autonomous. A human still did the parts that require human judgment and setup. As TechCrunch’s account — aptly titled “The ‘first’ AI-run ransomware attack still needed a human” — noted, a person chose the victim, provisioned the infrastructure behind the operation (the command-and-control server, the staging server for stolen data), pointed the agent at the target, and set it loose. Sysdig couldn’t even determine which LLM or provider powered the agent; the model, vendor, and hosting remain unknown.

So the honest framing is not “AI ran a ransomware attack.” It is “AI executed the middle of a ransomware attack — the tactical, hands-on-keyboard portion — while a human handled strategy and logistics.” The agent replaced the operator, not the operation.

And it wasn’t even a competent extortionist. In its most revealing blunder, the agent generated the AES encryption key — base64(uuid4().bytes + uuid4().bytes)printed it to stdout exactly once, and never stored or transmitted it. The key is unrecoverable. Even a victim who paid the ransom could not get their data back, because the attacker doesn’t have the key either. The README_RANSOM table claims “AES-256” protection over data that is, functionally, just destroyed. An experienced human ransomware operator does not make that mistake; it is fatal to the entire business model.

Why It Still Matters

It would be a mistake to dismiss JADEPUFFER because of the botched key. Two implications survive the caveats intact.

First, agentic attacks compress dwell time toward zero. The gap between initial access and impact has historically been where defenders live — the days or weeks in which EDR alerts, threat hunters, and incident responders can catch an intrusion before encryption. An agent that goes from failed login to database backdoor in under a minute, running 600 payloads without fatigue or hesitation, collapses that window. Detection-and-response strategies premised on human attacker tempo need to be re-baselined against machine tempo.

Second, AI-adjacent infrastructure is a new and under-defended attack surface. JADEPUFFER’s entire success flowed from a Langflow server — a piece of AI tooling, breached to launch an AI attack. These servers proliferate wherever developers experiment with LLM apps, they hold exactly the credentials attackers want, and they are routinely exposed to the internet without the controls a production system would get. Langflow’s CVE-2025-3248 has been an attractive entry point precisely for this reason, and it will not be the last AI framework to earn that distinction. The lesson is uncomfortable: the same infrastructure organizations are racing to deploy for AI is becoming a preferred launch pad for AI-driven intrusion.

The Threshold We Actually Crossed

The right way to read JADEPUFFER is as a proof of concept that worked in production — flawed, human-scaffolded, but real. The barrier it lowers is skill. Building a competent ransomware operator used to require an operator who could enumerate a network, chain credentials, pivot databases, and improvise around errors. JADEPUFFER shows an LLM can now do most of that tactical work, which means the human left in the loop needs far less expertise — enough to pick a victim and rent a server, not enough to hack.

That is the direction of travel, and the encryption-key blunder is exactly the kind of bug that a slightly better prompt or a slightly more capable model fixes on the next iteration. The first agentic ransomware attack failed to collect a ransom. The tenth probably won’t. Defenders should treat JADEPUFFER not as a curiosity but as a dated warning shot — machine-speed intrusion is here, and the humans behind it are getting cheaper to recruit.

Sources