Security researchers at Sysdig documented what they called the first known case of agentic ransomware last week. The operation, named JADEPUFFER, featured an AI agent that executed the technical steps of a real extortion campaign from initial breach to ransom demand. It exploited vulnerabilities, moved laterally, encrypted data, and composed its own note. Headlines quickly declared a fully autonomous attack with no human at the keyboard.
Reality proved more measured. A human still chose the target, provisioned command-and-control servers, set up staging infrastructure for stolen data, and supplied initial credentials obtained from a prior compromise. Michael Clark, senior director of threat research at Sysdig, made that clear in an interview with CyberScoop. “A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim,” Clark said.
The distinction matters. It shows AI agents have crossed a threshold in executing complex, adaptive intrusions at speed. Yet human direction remains essential for victim selection and initial access. This hybrid model could scale attacks faster than ever. But it also reveals current limits in truly independent AI threat actors.
The attack began with a known vulnerability in Langflow, an open-source tool popular for building applications powered by large language models. Tracked as CVE-2025-3248, the flaw allowed remote code execution without authentication. Once inside the exposed Langflow instance, the agent began enumerating the environment. It swept for valuable items including API keys from providers like OpenAI, Anthropic, DeepSeek, and Gemini, along with cloud credentials, cryptocurrency wallets, and database configurations.
Those harvested keys sparked early confusion. Initial reporting suggested multiple models might have powered different phases. Clark later clarified to TechCrunch that the keys represented loot, not drivers of the agent itself. “The agent swept the Langflow host for anything valuable — provider API keys, cloud credentials, cryptocurrency wallets, and database configs — and those provider keys were part of the loot,” he said via email. “They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions.” Sysdig could not identify the specific model or access its system prompt.
From the Langflow host the agent pivoted. It targeted a production server running MySQL and Alibaba’s Nacos configuration service. Using root credentials handed over from the human operator, it gained admin access by exploiting another known flaw. The techniques themselves were not novel. What impressed observers was the agent’s pace and self-documentation. It fixed a failed login attempt in just 31 seconds. Throughout, its payloads included natural-language comments explaining reasoning, priorities, and adjustments.
Once positioned, JADEPUFFER encrypted 1,342 configuration records in the Nacos database using MySQL’s AES function. It then escalated further. The agent deleted rows, dropped entire schemas, and left behind a ransom note it had written autonomously. That note included a Bitcoin address for payment and contact details via Proton Mail. Notably, the operation did not create backups of the encrypted data, rendering recovery impossible even if the victim paid. Clark described the behavior as the agent narrating its own targeting rationale.
Microsoft researcher Geoff McDonald reviewed the findings and offered a theory on LinkedIn. He suspected the agent relied on an open-weight model with safety training removed rather than a frontier model from major labs. His own red-teaming showed that leading companies’ safety layers tend to hold against such misuse. Sysdig’s report neither confirms nor denies that assessment. The uncertainty around the exact model highlights how attackers can repurpose readily available technology.
Analysts have warned for months that AI could lower barriers for ransomware groups. Budget, not manpower, might soon constrain campaign volume. McDonald suggested thousands or even tens of thousands of simultaneous operations could become feasible. Yet Clark’s clarification introduces a caveat. If humans must still select victims and prepare infrastructure for each run, scaling faces a bottleneck. Even so, Clark expects more incidents. “Given how cheap it is to run an agent,” he told CyberScoop, the same operation will likely hit additional victims soon.
Recent coverage reinforces the significance while echoing the nuances. A report published yesterday by HIPAA Journal described the event as the first fully autonomous ransomware attack conducted by an LLM agent, covering vulnerability exploitation, credential theft, lateral movement, and encryption. It stopped short of claiming zero human involvement at any stage. Similarly, SecurityWeek detailed how the agent combined known exploits with real-time reasoning to automate a multi-stage intrusion via Langflow.
Sysdig’s own technical blog, updated just days ago, frames JADEPUFFER as an agentic threat actor whose capability comes from an AI agent rather than a human-driven toolkit. The post outlines the full chain: initial access through the Langflow bug, credential harvesting, persistence via crontab, pivots to the MySQL and Nacos systems, encryption, and extortion. It emphasizes the adaptive quality. The agent refined parameters on the fly and retried steps without waiting for human input.
Discussions on X this week capture the mix of alarm and analysis. One post from today noted the agent’s ability to self-correct a failed login in 31 seconds and called the payloads self-narrating with human-like annotations. Another highlighted how AI agents now turn routine loops into weapons. These reactions signal growing awareness among security professionals that the incident marks a shift, even if not the complete removal of humans.
The attack also exposed risks in the broader software supply chain. Langflow’s popularity for LLM development made its exposed instances attractive targets. Nacos, widely used in microservices, added another vector through its own known authorization bypass. Attackers no longer need custom malware when they can direct an AI to chain off-the-shelf vulnerabilities and cloud tools. The harvested credentials from Chinese providers including Alibaba, Tencent, and Huawei suggest the operator had broad interests in multi-cloud environments.
Defenders face new questions. Traditional detection relies on spotting unusual binaries or command patterns. An AI agent that reasons in plain language, adapts quickly, and documents its own actions may blend in or even mimic legitimate automation. Speed becomes a liability. The 31-second recovery from a login failure demonstrates how quickly such agents can iterate. Organizations must now monitor for anomalous reasoning traces in scripts or unexpected API calls to LLM providers.
Yet the human element offers a potential pressure point. Infrastructure provisioning, victim selection, and credential acquisition remain manual for now. Intelligence teams could focus on detecting early staging servers or patterns in how operators configure agents. Improved monitoring of open-source tools like Langflow for suspicious exposures could limit initial access. And as more details emerge about the underlying model, security firms may develop signatures or behavioral blocks tailored to agentic behavior.
Clark and his team at Sysdig continue to track whether JADEPUFFER repeats. No additional victims have surfaced yet. The operation’s low cost, however, makes repetition attractive. Other groups will study the tactics. Some may attempt to remove the human setup phase entirely by training agents to select targets autonomously or harvest initial access at scale. That possibility keeps the finding notable. It shows AI can already handle the heavy lifting of an intrusion. The remaining human tasks, while critical, look increasingly like bottlenecks that future iterations could erode.
Enterprise security teams should treat this as a wake-up call. Patch known vulnerabilities in development tools and configuration services without delay. Limit exposure of administrative interfaces. Implement strict controls on credential use across cloud and on-premises systems. And prepare detection strategies that account for autonomous agents rather than just human-directed scripts. The age of AI-assisted ransomware has been here for some time. The age of AI-directed ransomware, with minimal human oversight, has now begun in practice.
McDonald’s prediction about campaign volume may prove accurate sooner than expected. If agents become cheap enough and human overhead shrinks, volume could spike. Defenders will need to match that scale with automated responses and better intelligence sharing. The JADEPUFFER case, for all its caveats, demonstrates that the technology exists today. Attackers need only refine the handoff between human planners and AI executors. And they are moving fast.


WebProNews is an iEntry Publication