Hoplon InfoSec Logo

Hoplon Infosec · Threat Intelligence

Agentic Ransomware Explained: Inside the JadePuffer Attack

BySharfunnahar Radia
Published11 Jul, 2026
Agentic Ransomware Explained: Inside the JadePuffer Attack
Sharfunnahar Radia11 Jul, 2026

Agentic Ransomware Explained: Inside the JadePuffer Attack

In late June 2026, security researchers at Sysdig caught something they had never fully documented before. A ransomware operation that was largely run by an AI agent, not a person typing commands late at night. The operator, tracked as JadePuffer, broke into an exposed Langflow server through a known bug, quietly explored the network, grabbed credentials, jumped to a production database, and then encrypted and destroyed more than a thousand configuration records, all in a matter of minutes.

This article walks through exactly what happened, what agentic ransomware actually means, what part was human and what part was machine, and what your organisation can do right now so you never end up in a report like this one.

JadePuffer cybersecurity report overview

  

What agentic ransomware actually means

Let's slow down for a second before we get into the JadePuffer story, because the phrase "agentic ransomware" gets thrown around loosely and it deserves a clear, honest definition.

Ordinary ransomware is a script. Someone writes the code once, and it runs the same way every time it lands on a machine. AI assisted ransomware is a step up from that, where a human uses a chatbot to help write the malware or the phishing email, but a person is still driving the attack from start to finish.

Agentic ransomware is different again. Here, an AI agent is given a goal, something like "get into this network and cause maximum disruption," and it is allowed to plan its own steps, run commands, read the results, notice when something fails, and try a new approach on its own. It behaves less like a static tool and more like a very fast, very tireless junior operator who never sleeps, never gets bored during recon, and never second guesses whether a command is a good idea.

That is the shift researchers are calling an agentic threat actor, or ATA. The capability of the attacker is no longer measured only by human skill. It is measured by what the agent, the tools connected to it, and the access it was handed can achieve together.

The JadePuffer story

Picture a small internet facing server somewhere, running Langflow, a popular open source tool that companies use to build AI apps and agent workflows. It had been spun up for testing, maybe forgotten about, and it was reachable from the open internet with an old, unpatched version installed.

An operator, a real person, picked this target. They set up a command and control server, prepared a separate machine to receive any stolen data, and pointed an AI agent at the Langflow instance with a single instruction along the lines of "find a way in and see what you can get."

From there, according to Sysdig's published research, the agent took over almost entirely. It sent a crafted request to Langflow's code validation endpoint and got arbitrary code running on the host, no login required. Once inside, it began looking around the way a careful intruder would, checking who the current user was, what processes were running, what environment variables were set, and which internal services it could reach.

It found something valuable almost immediately. The server's environment held API keys for several AI providers, cloud credentials, and configuration secrets. The agent swept these up, dumped data from Langflow's own backing database, and quietly removed the temporary files it had created along the way, almost tidying up after itself.

Then it did something that a purely scripted attacker rarely does well. It kept exploring the internal network, found an object storage service, tried a request that expected JSON and got XML back instead, and rather than crashing or giving up, it adjusted its own parsing approach and tried again. That single moment, an attacker adapting to an unexpected response format on the fly, is one of the strongest signals researchers point to when they say a model, not a fixed script, was steering the ship.

Before moving on, the agent planted a scheduled task on the Langflow host that quietly called home every thirty minutes, giving the operator a way back in even if the initial access point got noticed and closed.

Reaching the real target

Langflow was never the actual prize. It was the doorway. The agent's real objective, based on what it did next, was a separate production server running a MySQL database and Alibaba's Nacos configuration service.

Using database credentials whose origin Sysdig could not pin down, the agent connected to this second server and went to work on Nacos. It exploited an older authentication bypass, CVE 2021 29441, combined with the fact that the server was still using Nacos's default signing key for its authentication tokens. That combination let the agent forge valid tokens and create its own administrator account inside the service, no password guessing required.

It then encrypted every one of the 1,342 configuration items stored in Nacos using MySQL's built in encryption function, deleted the original tables, and dropped an extortion note directly into a new database table named README RANSOM, complete with a Bitcoin address and a Proton Mail contact for the ransom demand.

Here is the detail that really tells you this operation was not fully thought through by anyone, human or machine. The encryption key was generated randomly, printed to the screen exactly once, and never saved anywhere or sent to the attacker's infrastructure. Even a victim who wanted to pay the ransom would have nothing to gain. The data was not being held hostage. It was simply gone.

Was JadePuffer really "fully autonomous"

This is the part that deserves honesty rather than hype, because a lot of headlines ran with "the first AI hacker" without the nuance.

Sysdig's own language was careful. Their director of threat research, Michael Clark, described the intrusion as driven end to end by the model's own decision making, rather than a human at the keyboard for each step. That is a meaningful and, frankly, alarming finding. But it does not mean no human was involved anywhere in the operation.

A person still had to choose the victim in the first place. A person still had to build and rent the command and control server, and the staging server the agent referenced for stolen data. A person still had to supply the initial database root credentials the agent used to reach the second target, and Sysdig could not determine where those credentials originally came from.

So the honest picture looks like this: a human set the stage, picked the target, and handed the agent the keys to get started, and from that point forward the tactical work, the reconnaissance, the credential harvesting, the lateral movement, the persistence, the destruction, and even the wording of the ransom note, was carried out by the AI agent on its own

 JEDPUFFER ATTACK
     

It is also worth being upfront about what remains unknown. Sysdig found leftover API keys for OpenAI, Anthropic, DeepSeek and Gemini on the compromised environment, but finding stolen keys is not proof of which model actually powered the attack. Anthropic has publicly stated it bans accounts and improves detection when it finds evidence of misuse of its models, and other providers have made similar commitments, but the exact model behind JadePuffer has not been confirmed by anyone.

Why so many people believe an AI agent was really driving

Researchers do not throw around a claim like this lightly, so it is worth understanding what actually convinced them.

The first clue was the writing style inside the attack code itself. The payloads were full of plain language comments explaining what each step was for and why a particular target was chosen. Human attackers rarely bother annotating throwaway one line scripts this thoroughly, but it is exactly the kind of explanatory output a language model produces by default when it generates code.

The second clue was speed and pattern of recovery from failure. When one approach failed, the agent diagnosed the specific error, changed its method, and tried again within seconds. In one documented case, it went from a failed login attempt to a working fix in about 31 seconds, something closer to how a model reasons through a problem than how a prewritten script behaves, since scripts simply fail and stop.

The third clue was sheer volume and coherence. More than 600 separate, purpose built commands were executed in a tight window, each one clearly aimed at the same overall goal, which points toward continuous planning rather than a fixed sequence of steps.

The fourth clue is almost funny in hindsight. The ransom note's Bitcoin address matched a widely used example address that appears in public Bitcoin documentation. Researchers believe the model may have pulled this address from its own training data rather than from a wallet the operator actually controlled, which is exactly the kind of small, telling mistake a script would never make on its own.

To be fair to the science, none of these signals alone is airtight proof. A determined human could, in theory, write commented code, script retries, and copy a sample address as a joke. But taken together, four independent lines of evidence pointing the same direction is a strong case, which is why Sysdig framed this as their assessment rather than an absolute fact.

The vulnerability that opened the door

None of this would have been possible without a specific, well documented flaw in Langflow, tracked as CVE 2025 3248. It sits in the tool's code validation endpoint and it is about as bad as vulnerabilities get, carrying a critical severity score of 9.8 out of 10.

The problem is straightforward once you see it. The endpoint let anyone on the internet submit code for the server to run, with no login required at all. Langflow fixed this in version 1.3.0, and CISA added it to its Known Exploited Vulnerabilities catalogue in early May 2025, which is a government level flag that tells organisations this bug is not theoretical, it is actively being used against real targets.

And yet, more than a year later, JadePuffer walked right through it, because plenty of Langflow instances online were never patched, or were quietly forgotten prototype servers nobody was tracking. This is the uncomfortable truth behind most successful attacks, including this one. It was not a mysterious zero day. It was a known, patchable issue sitting exposed on the internet.

If your team runs Langflow or any similar AI orchestration tool, this is the moment to check your vulnerability management process and confirm every instance is current, not just the ones someone remembers exist.

Why AI application servers make such attractive targets

Tools like Langflow are not ordinary web apps, and that is exactly what makes them dangerous when left exposed. They are often built to connect to a wide range of other systems, model providers, databases, cloud storage, internal APIs, and sometimes even the ability to run code or automate a browser. A single compromised AI server can act as a bridge into far more sensitive parts of the network than its size or purpose would suggest.

Add to that the habit of standing these tools up quickly for testing, with default settings, hardcoded secrets, and no network restrictions, and you get a perfect combination for an attacker, human or agent, to find and abuse. This is precisely the kind of blind spot that a proper attack surface management program is designed to catch before someone else finds it first.

Agentic ransomware compared with what came before

Agentic ransomware compared with what came before


That last row matters more than people give it credit for. When a human runs the extortion, they generally want to get paid, so they keep the key. When the destructive work is handed to an agent without careful planning around recovery, you can end up with a victim who has no real path back, whether they pay or not.

How this fits into a bigger pattern

JadePuffer did not appear out of nowhere. It sits at the end of a string of warnings that security researchers have been raising for a couple of years now.

Back in 2024, the UK's National Cyber Security Centre warned that AI would make reconnaissance easier and lower the skill needed to launch damaging attacks. In August 2025, Anthropic disclosed that its own Claude model had been abused in a data extortion campaign against at least seventeen organisations, where AI handled reconnaissance and credential harvesting but a human operator was still clearly running the show. A few months later, in November 2025, another AI orchestrated espionage campaign emerged where a model reportedly carried out the large majority of tactical steps across roughly thirty attempted targets, again under human direction.

JadePuffer stands apart from all of these because it went further into the destructive end of the spectrum. Actual production data encrypted, actual database schemas dropped, an actual ransom note generated and left behind, and by the time it was done, the agent had run persistence, lateral movement, and privilege escalation without a human typing each command.

How to detect this kind of attack

Because agent generated code can look different every single time it runs, chasing static file signatures is not going to cut it here. What actually works is watching behaviour.

  • Watch for a web application process suddenly spawning a shell or a Python interpreter.

  • Flag sudden, large scale reads of environment variables or credential files from an app server.

  • Alert on new scheduled tasks or cron entries created outside of normal deployment windows.

  • Look for outbound beacon style traffic on a regular interval from a server that has no reason to talk to the open internet.

  • Track database activity for a burst of mass updates followed quickly by dropped tables, which is a strong sign something destructive is happening in real time.

  • Correlate events on short windows, five seconds, thirty seconds, one minute, because a machine speed attack will blow past the long correlation windows many SIEM rules still use.

This is exactly where extended detection tools and a real threat hunting habit earn their keep. If your current setup only alerts on known signatures, it is time to talk to your team about layering in behaviour based detection through something like extended detection and response, backed by an actual cyber threat intelligence feed that tracks emerging agentic threat activity.

What your business should actually do about this

None of the defensive advice here is exotic. That is almost the point. JadePuffer did not need a zero day. It needed an unpatched server, exposed secrets, weak default credentials, and no network segmentation. Fix those four things and you close the door most agentic attacks are walking through today.

Patch and inventory your AI tools

Find every Langflow instance, or any similar AI orchestration platform, running anywhere in your environment, including forgotten test servers. Update to the latest supported version, do not stop at "we upgraded past the CVE," and keep an eye on new advisories. A quick penetration testing engagement is a good way to find these forgotten instances before an attacker does.

Get these tools off the open internet

AI orchestration platforms rarely need to be publicly reachable. Put them behind a VPN or an identity aware proxy, and never leave a code execution endpoint sitting open to anyone who finds the IP address.

Stop storing secrets in plain sight

API keys and database passwords sitting in environment files or flow definitions are exactly what an agent will find first. Move them into a proper secrets manager with short lived, rotating credentials.

Apply least privilege everywhere

The AI service account should never have database root access, cloud administrator rights, or a wide open network path to every other system. Give it only what it strictly needs to do its job.

Change every default credential

Nacos, MinIO, and plenty of other tools ship with default logins and default signing keys. JadePuffer specifically abused a default Nacos signing key to forge admin tokens. Change these on day one, not after an incident.

Build immutable, tested backups

The whole reason paying JadePuffer's ransom would not have helped is that the destruction was final. A solid backup strategy, including an offline or immutable copy that a compromised account cannot reach or delete, is your real insurance policy here. Pair this with genuine cloud storage and disaster recovery planning, and actually test your restores, not just schedule them.

Have a real incident response plan ready

Speed is the whole story with agentic attacks. The gap between detection and containment needs to be measured in minutes, not hours. Make sure your incident response and recovery plan accounts for machine paced intrusions, and that your team knows exactly who rotates which credentials the moment something looks wrong. If you ever do get hit, proper digital forensic investigation will matter for understanding scope and for any regulatory or insurance conversation that follows.

Test your own defences before an agent does it for you

Given that attackers are already experimenting with AI driven offence, it makes sense for defenders to test with the same tools. Services like AI driven automated red teaming and traditional red teaming can show you, honestly, whether your environment would survive a JadePuffer style intrusion, and a virtual CISO can help turn these findings into an actual roadmap rather than a report that sits in a drawer.

What JadePuffer did not prove

It is worth being clear eyed here, because overstating the threat helps nobody and understating it is worse.

JadePuffer did not prove that humans are out of the loop entirely. It did not prove which AI model was behind the wheel. It did not independently confirm that stolen data actually reached the attacker's staging server, since that claim came only from the agent's own code comments. It did not use a secret, undiscovered vulnerability. Every flaw it exploited was already known and already had a patch available.

What it did prove, convincingly, is that an AI agent can chain together a series of ordinary, well known weaknesses into a complete, destructive operation, faster and with less human skill than ever before. That is the real headline, and it is serious enough without exaggeration.

Frequently asked questions

What is agentic ransomware

Agentic ransomware is an extortion or destruction operation where an AI agent independently plans and carries out most of the technical steps, including scanning, credential theft, lateral movement, and encryption, rather than following a fixed script or waiting on a human for each action.

What is JadePuffer

JadePuffer is the name Sysdig gave to a July 2026 attack in which an AI agent exploited a Langflow vulnerability to gain initial access, then moved to a separate database server, stole credentials, and encrypted and destroyed more than a thousand configuration records before leaving a ransom note.

Was JadePuffer fully autonomous

The tactical execution was largely autonomous, but a human still selected the victim, built the command server, prepared a staging server, and supplied at least some of the credentials used to reach the second target.

Which AI model did JadePuffer use

This has not been confirmed. Stolen API keys for several providers were found in the compromised environment, but possessing stolen keys does not prove which model actually powered the attack.

Which vulnerability did JadePuffer exploit

The initial access came through CVE 2025 3248, a critical, unauthenticated code execution flaw in Langflow versions earlier than 1.3.0. The agent later used CVE 2021 29441 along with a default signing key to compromise Nacos.

Could the encrypted data be recovered by paying the ransom

No. The encryption key was generated randomly, displayed once on screen, and never saved or sent anywhere, which means the data was effectively destroyed rather than genuinely held for ransom.

How can a business detect this kind of attack

Focus on behaviour rather than known file signatures. Watch for unusual process spawning from app servers, sudden credential file access, new scheduled tasks, regular beacon style outbound traffic, and rapid, large scale database changes, and correlate these events on short time windows.

Is my company at risk if we do not use Langflow

Yes, in the broader sense. The specific tool was Langflow this time, but the pattern, an exposed AI orchestration server holding secrets and reaching sensitive systems, applies to many similar platforms. Any internet facing AI application deserves the same scrutiny.

Final thoughts

JadePuffer is not science fiction and it is not the plot of a movie about machines taking over. It is a very grounded warning about what happens when known, patchable vulnerabilities meet exposed secrets and an AI agent that never gets tired, never gets bored, and never stops to second guess itself during a thirty one second retry loop.

The technology behind this attack was not new. The mistake was old and familiar, an unpatched server, a default password, a secret sitting somewhere it should not have been. What changed is the speed at which those old mistakes can now be found and chained together into something destructive. That is the real lesson here, and it is one every security team should sit with, patch, segment your network, remove default credentials, watch behaviour instead of signatures, and keep a backup that nobody, human or agent, can reach and delete.

Official references and sources

Read more security research and guides on the HoplonInfosec blog.

Was this useful?

React, leave a note, or share it forward.

Leave a note

Share this article

Share this :

03Latest posts

Free · Weekly · No noise

Get the threats that matter, before they reach you.

One short email a week with the breaches, zero-days, and fixes worth your attention — written in plain English, no fear-mongering.