An AI Agent Just Ran a Complete Ransomware Attack on Its Own
Security researchers at Sysdig have documented the first fully autonomous AI-driven ransomware operation, code-named JADEPUFFER, in which an AI agent exploited a known software flaw, stole cloud and API credentials from multiple providers, and encrypted a production database with no human involvement at any stage. The attack used CVE-2025-3248, a missing-authentication vulnerability in the Langflow AI workflow platform, as its entry point. The incident confirms that AI agents can now execute a complete ransomware lifecycle, from initial access to extortion demand, without a person directing the attack.
Operator Insight
For two years, AI security risk has largely been theoretical: models could be misused, agents might go rogue, pipelines could be a target. JADEPUFFER closes that gap. What Sysdig documented is a working AI agent that found an opening in a production system, diagnosed an authentication failure on its own, collected API keys for OpenAI, Anthropic, AWS, Google Cloud, and Alibaba, then encrypted 1,342 configuration records and left a ransom note. It did this without a single human instruction. The most damaging part: the decryption key was never saved or transmitted, meaning paying the ransom would not recover the data. If your business runs any AI pipeline tool exposed to the internet and has not audited it for known vulnerabilities, that exposure is now measured in hours.
30-Second Summary
Sysdig's Threat Research Team has published the first documented case of a fully autonomous AI agent completing an end-to-end ransomware attack. Named JADEPUFFER, the operation exploited a known vulnerability in Langflow, a popular AI workflow platform, to gain access to a production environment. The agent then swept the system for cloud and AI service credentials, moved laterally to a database server, encrypted 1,342 configuration records, and issued a ransom demand, all without human direction. The decryption key was never stored, meaning even a paid ransom would not restore the data.
At a Glance
- Topic: AI Security
- Company: Sysdig (research); Langflow (affected platform)
- Date: 7 July 2026
- Announcement: First fully agentic ransomware operation documented in a production environment
- What Changed: An AI agent, not a human operator, ran the complete ransomware lifecycle autonomously
- Why It Matters: Agentic attacks operate at machine speed, self-correct when they encounter obstacles, and do not require a skilled human attacker to direct each step
- Who Should Care: Any organisation running AI workflow tools, exposed configuration services, or cloud-connected databases
Key Facts
- Researcher: Sysdig Threat Research Team
- Report Published: 1 July 2026
- Vulnerability Exploited: CVE-2025-3248, a missing-authentication flaw in Langflow's code validation endpoint allowing unauthenticated remote code execution
- Target System: A production MySQL database and Alibaba Nacos configuration management service
- Data Encrypted: 1,342 Nacos service configuration items
- Credentials Harvested: API keys for OpenAI, Anthropic, DeepSeek, Gemini, AWS, Google Cloud, Azure, and Alibaba Cloud; crypto wallet keys; database credentials
- Time to Self-Correct: 31 seconds after encountering a failed authentication attempt
- Primary Source: Sysdig blog, "JADEPUFFER: Agentic Ransomware for Automated Database Extortion"
What Happened
Sysdig's Threat Research Team documented what it assessed to be the first fully agentic ransomware operation on 1 July 2026, naming the threat actor JADEPUFFER. The attack began with exploitation of CVE-2025-3248, a missing-authentication vulnerability in Langflow, an open-source platform widely used to build and run AI workflows. The flaw allowed unauthenticated access to Langflow's code validation endpoint, giving the attacker the ability to execute arbitrary code on the host without credentials.
Once inside, the AI agent swept the compromised Langflow server for secrets stored in the environment, collecting API keys for every major AI provider and cloud platform present. It then used the credentials gathered to move laterally to a separate internet-exposed server running a MySQL database and Alibaba Nacos, a configuration management service. The agent encrypted 1,342 Nacos service configuration items, deleted the originals, and inserted a ransom table called README_RANSOM containing a Bitcoin payment address and a Proton Mail contact.
In a demonstration of the system's autonomous problem-solving, when the agent encountered a failed admin login during the operation, it diagnosed the cause and issued a working fix within 31 seconds. More than 600 individual payloads across the operation carried plain-language comments in which the agent explained its own reasoning steps. Persistence was maintained through a crontab entry that beaconed to a command-and-control server every 30 minutes.
The most consequential detail is that the AES encryption key was generated randomly and printed to standard output but never saved or transmitted. This means there is no path to data recovery, even if the ransom is paid.
Why It Matters
- Speed eliminates human reaction time. A skilled human attacker takes hours or days to move through a network. An AI agent operating autonomously can complete the same sequence in minutes.
- Self-correction removes a key defensive assumption. Previous attack detection logic assumed human operators make recoverable errors. JADEPUFFER diagnosed a failed authentication in 31 seconds and adapted. Detection strategies built around attacker mistakes need to be reconsidered.
- AI pipeline tools are now a primary attack surface. Langflow, and tools like it, are increasingly used to connect AI models to production systems. An unpatched, internet-facing AI workflow runner is a direct path into the core of a business.
- Credential sprawl amplifies impact. JADEPUFFER collected API keys for six AI providers and three cloud platforms from a single compromised server. The actual damage extended far beyond the original target.
- Payment does not equal recovery. The absence of any key storage mechanism in the JADEPUFFER attack means the data loss is permanent regardless of compliance with the ransom demand.
- The barrier to agentic attacks has dropped. The JADEPUFFER operator did not need to manually direct each step. The AI agent handled reconnaissance, lateral movement, and extortion autonomously, lowering the skill threshold for a sophisticated attack.
The David and Goliath View
JADEPUFFER is a signal that the AI security landscape has changed in a concrete, documented way. For the past two years, the dominant AI security concern for small and mid-sized businesses was misuse by internal staff or data leakage through AI tools. That concern has not gone away. But JADEPUFFER adds a category: your AI infrastructure itself is now a target, and the attacker does not need to be highly skilled to exploit it.
The businesses most at risk in the near term are those who have moved quickly to deploy AI workflow tools without the same security rigour applied to other production infrastructure. Langflow is not alone. Any tool that connects AI models to databases, configuration services, or internal APIs and is accessible from the internet without authentication is a version of the same problem. The credential harvesting behaviour documented in JADEPUFFER is particularly relevant for lean organisations: a single compromised AI server holding API keys for multiple providers can turn into a billing crisis and a data breach simultaneously.
The actionable position for a 10-200 person business is not to wait for the next security audit cycle. Audit your exposed AI tools this week, confirm CVE-2025-3248 is patched, move API credentials out of server environments and into a dedicated secrets manager, and verify that your backups are tested and offsite. The window between a vulnerability being documented and it being exploited at scale has historically been measured in days.
Where This Fits in the AI Stack
Secure AI Brain: The JADEPUFFER incident is a direct case study for why governing, securing, and auditing the AI infrastructure layer matters. A Secure AI Brain framework addresses credential management, access controls, and the security posture of every AI tool connected to business data.
Questions Operators Are Asking
What is Langflow and do we need to worry about it? Langflow is an open-source platform for building and running AI workflows. It is widely used to connect language models to databases, APIs, and business systems. If your team has deployed Langflow, or if you use any hosted AI integration platform built on it, you should confirm that CVE-2025-3248 has been patched and that the instance is not directly accessible from the internet without authentication.
How do we know if our systems were targeted? Look for unusual activity in your Langflow or AI pipeline logs, unexpected crontab entries, any process beaconing to external servers on non-standard ports, and any README_RANSOM tables or files in your databases. Your cloud provider's billing and access logs will also show whether API keys have been used from unfamiliar locations.
Our AI tools are managed by a vendor. Are we still at risk? Ask your vendor directly whether they have patched CVE-2025-3248 and how they manage the credentials stored in their pipeline infrastructure. A vendor managing the tool does not automatically mean the tool is secured. Get a written confirmation of the patch status.
What is the right way to store API keys for AI services? API keys for AI services should be stored in a dedicated secrets manager such as AWS Secrets Manager, HashiCorp Vault, or a comparable tool, not in environment variables, configuration files, or application code on any networked server. Credentials should be rotated on a defined schedule and after any suspected compromise.
If we are hit with a ransomware attack, should we pay? In the JADEPUFFER case, payment would achieve nothing because the decryption key was discarded. More broadly, law enforcement agencies and security researchers advise against payment because it funds further attacks and does not guarantee data recovery. The only reliable recovery path is a tested, offsite backup.
Citable Summary
What happened: Sysdig's Threat Research Team documented the first fully autonomous AI agent ransomware operation, JADEPUFFER, which exploited CVE-2025-3248 in Langflow to harvest credentials and encrypt a production database without human direction.
Why it matters: Agentic attacks operate at machine speed, self-correct when they encounter errors, and lower the skill threshold for sophisticated intrusions, making unpatched AI pipeline infrastructure a high-priority target.
David and Goliath view: Small and mid-sized businesses that have deployed AI workflow tools without applying the same security rigour as other production infrastructure are the most exposed segment right now, and the window to act before this attack pattern scales is measured in days, not months.
Offer relevance:
- Secure AI Brain: Directly relevant. Credential management, access controls, and security auditing of AI infrastructure are core components of a Secure AI Brain framework.
Why This Matters for Operators
- ✓
Patch CVE-2025-3248 immediately if you run Langflow. This is the exact vulnerability JADEPUFFER exploited. If your team uses Langflow for any AI workflow or integration task, treat this as a critical security update with no grace period.
- ✓
Audit every AI tool you have exposed to the internet. Database management interfaces, AI workflow runners, and configuration services are high-value targets. Close any that are not strictly necessary to be public-facing.
- ✓
Rotate credentials stored on networked AI servers. JADEPUFFER harvested API keys for OpenAI, Anthropic, Gemini, DeepSeek, AWS, Google Cloud, and Alibaba from the compromised host. If those keys exist in plaintext on any networked server, rotate them now and move to a secrets manager.
- ✓
Verify your backup and recovery process today. The JADEPUFFER attack deleted the originals after encryption, and the decryption key was discarded. Tested, offsite backups are the only real recovery path.
Related Intelligence
Related Briefings
- Anthropic Accuses Alibaba of Largest Ever AI Model Distillation AttackAnthropic | AI Security
- OpenAI's GPT-5.5-Cyber Sets a New Bar for AI-Powered Enterprise SecurityOpenAI | AI Security
- Agentjacking: The Attack That Turns Your AI Coding Agent Against YouTenet Security / Sentry | AI Security
- The Fable 5 Shutdown Is a Wake-Up Call on Enterprise AI Vendor RiskAnthropic | AI Security
Explore Related Intelligence
How This Maps to David & Goliath
Apply This to Your Business
Want to see what this means for your team?
Tell us a little about your business and we will map the specific opportunity for your sector and team size.