Cloud security firm Sysdig published research on July 4 documenting what it calls the first ransomware operation conducted entirely by a large language model agent. The group, tracked as JadePuffer, used an autonomous AI agent to handle reconnaissance, credential theft, lateral movement, privilege escalation, persistence, and data encryption without human operators intervening at each stage.

The Attack Sequence

JadePuffer gained initial access by exploiting CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, a popular open-source framework for building LLM applications. The vendor patched the flaw in April 2025, and CISA flagged it as actively exploited in May 2025. Internet-exposed Langflow instances remain common targets because they often contain cloud credentials and API keys with minimal hardening.

After obtaining code execution, the AI agent dumped Langflow’s PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store. Sysdig highlights the agent’s adaptive behavior: when one MinIO API request returned XML instead of JSON, the next payload adjusted its parsing logic automatically.

The agent installed a cron job on the Langflow server, configured to beacon to attacker infrastructure every 30 minutes, establishing persistence. From there, it pivoted to a production MySQL server running Alibaba Nacos (Naming and Configuration Service), using root credentials whose origin Sysdig could not determine. The agent also probed for container escape methods and deployed payloads exploiting CVE-2021-29441, an authentication bypass vulnerability that creates rogue administrator accounts in Nacos.

1,342 Configuration Items Encrypted

The agent encrypted 1,342 Nacos service configuration items using MySQL’s AES_ENCRYPT() function, dropped the original config_info and history tables, and created an extortion table (README_RANSOM) containing the demand, a Bitcoin payment address, and a Proton Mail contact, according to Sysdig’s analysis.

The ransom note claims AES-256 encryption, but Sysdig believes the weaker AES-128-ECB was actually used. The encryption key was randomly generated but never stored or transmitted to the attacker. The Bitcoin address in the ransom note is a well-known example address from public documentation, likely reproduced from the LLM’s training data. These details suggest the operation was functional but rough around the edges.

How Sysdig Identified the AI Agent

Several indicators pointed to LLM-driven operations rather than human operators. The generated code contained detailed natural-language comments describing operational reasoning at each step. Error handling showed rapid iteration tailored to specific failures encountered during the intrusion, not simple scripted retries. In one sequence, the agent went from a failed login to a working fix in 31 seconds, according to BleepingComputer’s reporting.

The Defense Angle

Sysdig concludes that JadePuffer demonstrates the arrival of “agentic threat actors,” lowering the skill barrier for conducting damaging cyberattacks. At the same time, the researchers note that LLM-generated payloads create new detection opportunities. The verbose commenting, predictable iteration patterns, and training-data artifacts (like the example Bitcoin address) give security teams signatures they would not see in human-authored attacks.

For organizations running Langflow or similar AI development frameworks, the immediate takeaway is concrete: patch CVE-2025-3248, restrict internet exposure of LLM tooling, and audit MinIO and Nacos configurations for credential leakage.