JADEPUFFER: The First Confirmed AI Agent Ransomware Attack — 600 Payloads, 1,342 Records Gone, Recovery Impossible, Attacker Cost Near Zero
An autonomous LLM exploited a 2025 Langflow CVE, harvested cloud and AI provider credentials, moved laterally to a production MySQL/Nacos server, encrypted 1,342 configuration records, deleted the originals, and left a Bitcoin ransom demand — all across 600+ payloads with no human at the keyboard. The encryption key was displayed once and never stored. Recovery is impossible even with payment. The agent ran on stolen API keys. Attacker cost: near zero.
Read Full Brief →Threats & Attacks
Autonomous LLM: initial access, credential harvest, lateral movement, persistence, encryption, ransom demand. No human at keyboard. Key displayed once, never stored. Ran on victim’s own stolen API keys. Old CVEs, unpatched servers.
Six-instruction race window. Four epoll objects. Root 99% of the time. Reaches Android from Chrome’s renderer sandbox. AI found the sibling bug and missed this one. Third LPE in two weeks.
Normal prompt. MCP response. Sandbox binary overwritten. No click. Full machine. 50%+ Fortune 500. Cato: similar flaws in all coding agents.
BlueHammer CISA KEV. UnDefend silently degrades protection. RoguePlanet: SYSTEM on fully patched Win10/11 — now patched out-of-band. Apply immediately.
Payload in DNS TXT record. Static analysis, human review, AI agent: all blind. “Claude Code never decided to open a shell. It decided to fix an error.”
Bypasses TOTP, push, SMS. Token survives password resets. Conditional Access doesn’t block by default. FBI advisory. Criminal commodity.
Intelligence & Deep Dive
The DataWater Intelligence Brief
Weekly CISO-level threat analysis — breaking vulnerabilities, technical depth, zero noise.
