Hoplon InfoSec Logo

AI Agent Ransomware Attack: Inside The JADEPUFFER Breach

AI Agent Ransomware Attack: Inside The JADEPUFFER Breach

Hoplon InfoSec

02 Jul, 2026

AI Agent Ransomware Attack: The JADEPUFFER Story

I remember reading the first line of the Sysdig report and having to read it twice. a security team was telling the world that a piece of ransomware had broken in, stolen credentials, moved across a network, encrypted a production database, and dropped a ransom note, all without a human typing a single command mid attack. that is the story behind JADEPUFFER, and it is worth slowing down and walking through properly, because this is not just another breach headline. it is a preview of where enterprise security is heading.

Content Summary Table

DetailInformation
Campaign NameJADEPUFFER
Discovered BySysdig Threat Research Team (TRT)
Entry VulnerabilityCVE-2025-3248 (Langflow)
Entry CVSS Score9.8 Critical
Escalation VulnerabilityCVE-2021-29441 (Nacos)
Escalation CVSS Score9.8 Critical
Systems HitLangflow, MinIO, Nacos, MySQL
Records Encrypted1,342 Nacos configuration entries
Ransom DemandBitcoin, contact via Proton Mail
Data RecoverableNo, encryption key was never saved anywhere
Payloads ObservedOver 600 distinct AI generated commands

What Actually is JADEPUFFER

JADEPUFFER is the name Sysdig's threat research team gave to an operation where a large language model, not a human operator, appears to have carried out an entire ransomware attack from the first exploit to the final ransom note. Ransomware has always needed a person somewhere in the chain, either sitting at a keyboard or writing the script the malware runs on autopilot. What made JADEPUFFER different is that an AI agent seems to have made its own decisions at every stage, adapted when something failed, and fixed its own mistakes without waiting on a human to guide it.

That single shift changes the economics of cybercrime. you no longer need a skilled hacker to run a serious attack. you need access to an AI agent and the willingness to point it at a target.

The Attack Chain, Step By Step

This is the part most news coverage skips over, and it is the part that actually matters if you run infrastructure. Here is exactly how the agent moved through the network.

Stage 1: Getting In Through Langflow, CVE-2025-3248

The entry point was Langflow, an open source visual builder that developers use to construct AI agent and RAG pipelines. Langflow versions before 1.3.0 had a flaw in the /api/v1/validate/code endpoint. This endpoint was meant to validate Python code, but it actually ran that code through Python's exec() function with no authentication check and no sandboxing at all. an attacker only had to send one crafted HTTP request containing malicious code hidden inside a Python decorator or a default function argument, and the server would run it immediately during parsing, before it ever returned a response.

CVE-2025-3248 carries a CVSS score of 9.8, which is about as severe as scoring gets. Network attack vector, low complexity, no privileges required, no user interaction needed. It was added to CISA's Known Exploited Vulnerabilities catalog in May 2025 after Trend Micro found it being used to deliver the Flodrix botnet, and the fix landed in Langflow 1.3.0.

CVE-2025-3248 DetailValue
Affected ProductLangflow, versions before 1.3.0
Vulnerable Endpoint/api/v1/validate/code
CVSS v3 Score9.8 Critical
Root CauseMissing authentication, unsandboxed exec()
Patched Version1.3.0, released March 2025
KEV ListingAdded May 2025
Exposed Instances Found466 (Censys data)

Langflow servers are a genuinely tempting target because they sit exposed to the internet more often than they should, and they routinely hold API keys for OpenAI, Anthropic, DeepSeek, and Gemini, plus cloud provider credentials for whatever backend they connect to. one exposed box can hand an attacker the keys to a much bigger kingdom.

It is also worth knowing this was not a one time flaw. Langflow has had repeat critical bugs since, including CVE-2026-33017 (CVSS 9.3, exploited within 20 hours of disclosure with no public proof of concept available) and CVE-2026-55255, a cross tenant IDOR. That pattern tells you Langflow, and frameworks like it, are becoming a recurring target class, not a single unlucky incident.

Stage 2: Harvesting Credentials And Setting Up Persistence

Once inside, the agent moved fast and methodically. it mapped the machine, then swept it for every kind of secret it could find, AI service API keys, cloud credentials across AWS, Google Cloud, Azure, Alibaba, and Tencent, crypto wallet keys, and database logins. it then quietly added a scheduled task that pinged the attacker's infrastructure every 30 minutes, giving it a way back in even if the original entry point was closed.

Indicator TypeValue
Command and Control IP45.131.66.106
Beacon URLhxxp://45.131.66.106:4444/beacon
Beacon IntervalEvery 30 minutes
Staging Server64.20.53.230
Ransom Bitcoin Address3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Contact Emaile78393397@proton.me
Ransom Table NameREADME_RANSOM

Stage 3: Lateral Movement Through A Default MinIO Login

From there, the agent found a MinIO object storage server and simply logged in with the factory default credentials, minioadmin as both username and password. nobody had ever changed them. this is one of the oldest, most preventable mistakes in cloud security, and it is still the reason attackers get in years after a service was first deployed. if you run attack surface management properly, exposed services with default credentials are exactly the kind of thing that should be flagged before an attacker ever finds them.

Stage 4: Escalating Into Nacos, CVE-2021-29441

The real target turned out to be a separate, internet facing server running MySQL alongside Nacos, Alibaba's configuration and service discovery tool for microservices. the agent logged into the MySQL database directly as root. Sysdig never determined where those root credentials came from, and that gap is worth stating plainly rather than guessing at, since honest reporting matters more than a tidy story.

From MySQL, the agent pivoted into Nacos using CVE-2021-29441, an authentication bypass that has existed since 2021. the bug lives in Nacos's AuthFilter servlet, which is supposed to block unauthenticated requests but contains a backdoor that trusts any request carrying a User-Agent header set to "Nacos-Server". send that header, and the filter waves you straight through, no credentials needed.

CVE-2021-29441 DetailValue
Affected ProductNacos, versions before 1.4.1
Vulnerability ClassCWE-290, Authentication Bypass by Spoofing
CVSS v3 Score9.8 Critical
Root CauseAuthFilter trusts a spoofable User-Agent header
Patched Version1.4.1, released 2021
Why Still Exploitable in 2026Default signing key and header trust never rotated by many deployments

What makes this worse is that Nacos, once compromised, had been allowed to connect to its own database using a root MySQL account. that single misconfiguration, an application service account with full administrative rights, is what turned a config server bug into full database control.

Stage 5: Encryption, Data Destruction, And A Ransom Note With No Key

The agent encrypted all 1,342 Nacos configuration entries, dropped the original tables, and left a ransom note demanding payment in Bitcoin with a Proton Mail contact address. the note claimed AES-256 encryption, but Sysdig found the actual tool defaulted to the weaker AES-128. it did not matter much in practice, because the agent generated a random encryption key, printed it to the console exactly once, and never saved or transmitted it anywhere. there was no key sitting on a server for investigators to recover and no channel it was sent through. paying the ransom would not have brought that data back, because there was nothing on the attacker's side to hand over.

The agent then went further than the ransom demanded, deleting entire databases outright and leaving a code comment claiming the data had already been copied elsewhere. Sysdig was clear that this claim could not be verified and found no evidence any data actually left the network.

AI agent ransomware attack timelineAI agent ransomware attack timeline


How Researchers Knew A Human Was Not Driving This

This is the detail that turned heads inside the industry. Sysdig did not guess that an AI ran this attack, they built the case from the evidence.

Plain English commentary inside the code. the payloads were full of explanatory notes describing why each step was being taken, the kind of running commentary a human attacker never bothers writing because it only helps whoever finds the logs later. models produce that kind of narration by default.

Machine speed self correction. in one documented case, the agent went from a failed login attempt to a correct, multi-step fix in 31 seconds, and it diagnosed the actual cause instead of blindly retrying the same thing. that kind of adaptive troubleshooting at that speed is not typical human or scripted behavior.

Sheer volume. Sysdig counted more than 600 separate, purposeful payloads across the operation, each one built for a specific step rather than copy pasted from a toolkit.

AttributeHuman OperatedScripted WormAgentic AI (JADEPUFFER)
Adapts to failuresSlowly, manuallyNot at allIn seconds, automatically
Forensic footprintMinimized deliberatelyRepetitive, fixed patternVerbose, self documenting
Cost to runRequires skilled operatorLow, but inflexibleLow, and adaptive
Speed of chain executionHours to daysFast but rigidFast and reasoning driven

The Bitcoin Address Nobody Can Fully Explain

There is one loose thread Sysdig flagged and could not close. the Bitcoin address in the ransom note is the exact sample address that appears throughout Bitcoin's own developer documentation, the kind of text these models are trained on constantly. it is also a real, active wallet with a genuine payment history. Sysdig cannot say for certain whether the model simply pulled a familiar looking address from memory, essentially hallucinating a wallet, or whether the operator deliberately reused a real one that happens to match the famous example.

Either explanation matters for defenders, because it shows AI generated attack tooling can inherit strange artifacts straight from its training data, and those artifacts can become detection opportunities if you know to look for them.

Where JADEPUFFER Fits In A Bigger Pattern

JADEPUFFER did not appear out of nowhere. it is the latest step in a fast moving year of AI involved attacks.

CampaignAI InvolvementVerified Or PrototypeOutcome
PromptLock, August 2025Billed as AI powered ransomwareLater confirmed as NYU's academic Ransomware 3.0 prototype, not a live attackNo real world victims
Claude Code extortion campaignHuman steered, AI assistedVerified real extortion operationHit at least 17 organizations, demands over 500,000 dollars
November 2025 state linked espionageLargely autonomous, AI wrote exploits and stole dataVerified by AnthropicAI also hallucinated credentials that did not exist
JADEPUFFERClaimed fully autonomous, start to finishVerified by Sysdig TRTDatabase encrypted, no recoverable key

That third row is worth sitting with. the same hallucination pattern behind JADEPUFFER's odd Bitcoin address also showed up months earlier in a Chinese state linked operation where the AI invented credentials that simply did not exist. that is not a coincidence, it is a signature of how these models behave under pressure to keep an attack moving.

TacticTechniqueJADEPUFFER Behavior
Initial AccessT1190, Exploit Public Facing ApplicationLangflow RCE via CVE-2025-3248
DiscoveryT1589, Gather Victim Identity InformationSystematic secret and credential sweep
Valid AccountsT1078MinIO default login, root MySQL access
PersistenceT1053, Scheduled Task30 minute beacon task
Command and ControlT1071 / T1105Beacon to attacker infrastructure, staged payload delivery
ImpactT1486, Data Encrypted for Impact1,342 Nacos entries encrypted
ImpactT1490, Inhibit System RecoveryDatabase tables dropped beyond ransom scope

Why This Changes The Threat Model For Every Enterprise

The skill floor for running a serious ransomware attack has effectively dropped to whatever it costs to rent an AI agent. old, already patched vulnerabilities remain profitable because agents can scan the entire internet for unpatched instances almost for free, so a neglected server gets more exposed over time, not less.

Patch cycles measured in weeks cannot keep pace with exploitation windows now measured in hours. that is exactly why extended detection and response and behavior based cyber threat intelligence matter more than ever, watching for suspicious behavior at runtime catches what patching alone cannot.

Defender Checklist

  1. Patch Langflow to the latest version and never expose its code execution endpoints to the public internet.
  2. Rotate every API key and cloud credential on any internet facing AI pipeline host immediately.
  3. Store secrets in a dedicated secrets manager, never inside the same environment where agents execute code.
  4. Change every default credential on object storage and configuration tools the moment they are deployed, MinIO and Nacos included.
  5. Never let an application service account, like Nacos, connect to a database with root or admin privileges.
  6. Lock down outbound traffic from AI pipeline hosts so a compromised server cannot phone home.
  7. Run continuous vulnerability management instead of relying on periodic patch cycles alone.
  8. Treat any previously exposed Langflow, Nacos, or database admin instance as compromised, not just vulnerable, and bring in incident response and recovery support to verify.
  9. Subscribe to KEV catalog updates and vendor advisories, and assume hours, not weeks, before exploitation begins.
  10. Run regular red teaming exercises against AI pipeline infrastructure specifically, since traditional pentests often skip these tools entirely.


Frequently Asked Questions

Can AI really run a ransomware attack without a human involved?
Based on Sysdig's findings, yes, at least in this documented case. the JADEPUFFER operation showed an AI agent handling initial access, credential theft, lateral movement, privilege escalation, and encryption with no observed manual intervention.

What is JADEPUFFER and who discovered it?
JADEPUFFER is the name given by Sysdig's Threat Research Team to a ransomware operation believed to be the first fully AI executed attack against a production database.

What vulnerability did JADEPUFFER exploit to get in?
The entry point was CVE-2025-3248, a critical missing authentication bug in Langflow's code validation endpoint, carrying a CVSS score of 9.8.

Is the JADEPUFFER attack connected to Anthropic or Claude?
No. Sysdig's report does not attribute the JADEPUFFER agent to any specific AI provider or model. it is a separate incident from Anthropic's own disclosures about a Claude Code linked extortion campaign and a state linked espionage operation.

Can encrypted data be recovered after a JADEPUFFER attack?
No. the encryption key was generated randomly, displayed once on screen, and never saved or transmitted anywhere, so there is no key available even if a ransom is paid.

How is this different from PromptLock or Ransomware 3.0?
PromptLock was initially reported as AI powered ransomware but was later confirmed to be an academic prototype built by NYU researchers, never used against a real victim. JADEPUFFER is a documented, real world attack against live infrastructure.

What should companies using Langflow or Nacos do right now?
Patch both platforms immediately, rotate every credential either system had access to, remove default logins, and restrict database service accounts from ever holding root privileges.


Official References

Sysdig Threat Research Team, JADEPUFFER agentic ransomware research
CISA Known Exploited Vulnerabilities catalog, CVE-2025-3248 entry

If your team runs Langflow, Nacos, or any exposed AI pipeline infrastructure, this is worth an honest internal audit rather than waiting for the next headline. happy to help you think through where your cloud storage and disaster recovery setup stands if a similar encryption event ever hit your environment.

Was this article helpful?

React to this post and see the live totals.

Share this :

Latest News