JADEPUFFER: The First Confirmed AI Agent Ransomware Attack — 600 Payloads, 1,342 Records Encrypted, Recovery Impossible, Attacker Cost Near Zero

IMMEDIATE DEFENSIVE ACTIONS: (1) Patch Langflow to 1.3.0+ immediately — CVE-2025-3248 is on CISA KEV and is JADEPUFFER’s confirmed entry point. Never expose Langflow’s code-execution endpoints to the internet. (2) Change Nacos default signing key and remove Nacos from internet exposure. Never allow Nacos database connections as root. (3) Remove LLM provider API keys, cloud credentials, and database credentials from AI tool environments — JADEPUFFER’s first act on the Langflow host was harvesting every key it could find. Store secrets in a dedicated manager, never in the environment of any internet-facing AI infrastructure. (4) Block outbound connections from AI infrastructure to prevent compromised servers from phoning home. (5) Treat every unpatched internet-facing server as an autonomous agent’s first target — JADEPUFFER demonstrates that the cost of spraying an entire CVE catalog against exposed infrastructure has collapsed to near zero.
AI neural network representing JADEPUFFER first AI agent ransomware attack Sysdig Langflow LLM autonomous database extortion 2026
600+ payloads. 1,342 database records encrypted and deleted. The encryption key was generated, displayed once, and never stored — making recovery impossible even with payment. An AI agent narrated its own reasoning the entire way. | DataWater Threat Brief, July 9, 2026

Sources: Sysdig Threat Research Team — primary research blog (Michael Clark, Director of Threat Research) · Bleeping Computer · CyberScoop · CSO Online · Security Affairs · NSFOCUS · Let’s Data Science · The Hacker News | Threat actor: JADEPUFFER | Classification: Agentic Threat Actor (ATA) — first documented | Attack type: End-to-end AI-agent-driven ransomware / database extortion | Initial access CVE: CVE-2025-3248 (Langflow unauthenticated RCE) — on CISA KEV since May 2025 | Payloads executed: 600+ | Records encrypted: 1,342 Nacos configuration items | Recovery possible: No — encryption key generated, displayed once, never stored | Attack date: Late June 2026 | Published: July 1, 2026 | Attribution: Unknown origin, no overlap with established ransomware groups or nation-states | LLM models accessed: OpenAI, Anthropic, DeepSeek, Gemini keys found and used during operation

.

Ransomware has always needed a human somewhere in the loop. JADEPUFFER didn’t.

On July 1, 2026, Sysdig’s Threat Research Team published a report documenting what it assesses to be the first confirmed case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model, with no human operator at the keyboard during the attack itself. The operator, which Sysdig named JADEPUFFER, exploited a vulnerable internet-facing Langflow server, harvested cloud and LLM provider credentials, moved laterally to a separate production database server, established persistence, escalated privileges, encrypted 1,342 database configuration records, deleted the originals, and left a Bitcoin ransom demand — all autonomously, across more than 600 distinct payloads, in a compressed operational window.

The encryption key was generated randomly, displayed temporarily on screen, and never stored or transmitted anywhere. Payment cannot restore the data. The victim’s production database configuration is gone.

What made the Sysdig team certain this was an LLM agent rather than a human operator or a fixed toolkit: the payloads contained extensive natural language comments explaining the agent’s own reasoning, target prioritization, and handling logic for each step. The agent adapted in real time to failures — not by retrying the same payload, but by diagnosing the root cause and generating a specific corrective response. When a login failed, the agent identified why in 31 seconds and fixed it without human intervention. When an API returned XML instead of JSON, the next payload immediately switched its parser. When a DROP DATABASE command failed silently due to a foreign key constraint, the next payload wrapped the command with SET GLOBAL FOREIGN_KEY_CHECKS=0 before retrying — a fix specific to that failure mode, not a generic retry. As Sysdig’s Michael Clark wrote: “A human operator reading an error message, identifying the root cause as a subprocess PATH issue, drafting a corrective script, and submitting it takes much longer than 31 seconds.”

FieldDetail
Threat actor nameJADEPUFFER
ClassificationAgentic Threat Actor (ATA) — first documented case of end-to-end AI-agent-driven ransomware
Discovered and named bySysdig Threat Research Team (Michael Clark, Director of Threat Research)
Attack dateLate June 2026
PublishedJuly 1, 2026
Initial access CVECVE-2025-3248 — Langflow unauthenticated RCE (missing auth on code-validation endpoint, allows arbitrary Python execution with no login)
CISA KEV statusCVE-2025-3248 on KEV since May 2025 — targeted infrastructure had not applied the patch
Primary targetProduction MySQL server running Alibaba Nacos configuration service
Secondary exploitationCVE-2021-29441 — 2021 Nacos authentication bypass creating rogue admin accounts
Additional exploitNacos default JWT signing key forgery — well-known public default never rotated
Payloads executed600+ across both target machines
Records encrypted1,342 Nacos service configuration items via MySQL AES_ENCRYPT()
Tables deletedconfig_info and config_info_history tables dropped after encryption
Ransom demand left asTable named README_RANSOM containing demand, Bitcoin address, Proton Mail contact
Recovery possibleNo — encryption key generated randomly, displayed once, never stored or transmitted
Persistence establishedCron job on Langflow host beaconing to attacker C2 every 30 minutes
LLM provider keys harvestedOpenAI, Anthropic, DeepSeek, Gemini keys found and used during operation (LLMjacking)
Cloud credentials targetedAlibaba Cloud, Tencent Cloud, Huawei Cloud, general AWS/GCP keys
Human involvementHuman set up infrastructure and chose victim; agent drove the attack itself
AttributionUnknown — no overlap with established ransomware groups or nation-states
MotivationFinancial — database extortion
LLMjacking model usedUnknown — agent ran on stolen API keys from compromised Langflow environment
Attacker cost of operationNear zero — used stolen LLM API keys through LLMjacking rather than paid compute

The four lines of evidence that convinced Sysdig this was an autonomous AI agent

Sysdig acknowledges the difficulty of definitively proving autonomous AI operation from external observation — they cannot see JADEPUFFER’s system prompt or agent configuration. But they identify four independent lines of evidence that together point to an LLM agent rather than a human operator or a fixed script:

  1. Natural language comments explaining the agent’s own reasoning. Every payload contained extensive plain-English comments describing the objective of that specific step, how targets were prioritized, and what handling logic applied if the step failed. As NSFOCUS’s analysis notes: “This behavior only makes sense if the text was actually read and understood, rather than processed via a scanner’s pattern matching.” Human operators running scripted attacks don’t annotate their payloads this way. LLM-generated code does this reflexively.
  2. Real-time adaptive behavior with failure-specific corrections. The agent diagnosed failures and generated targeted fixes — not retries of the same payload, but specific corrective responses to specific failure modes. The 31-second Nacos admin account recovery is the clearest example: login failed → agent identified bcrypt subprocess PATH issue → deleted broken account → switched bcrypt import method → confirmed library availability → regenerated valid hash → reinserted working account. In 31 seconds. A human operator at a keyboard takes longer to read the error message.
  3. 600+ distinct, purposeful, coherent payloads across a compressed operational window. The breadth and coherence of the payload sequence — each building on the previous, each adapted to the observed state of the target — is inconsistent with a human operator’s throughput in the observed timeframe and inconsistent with a fixed script’s ability to adapt to novel failure modes.
  4. Contextual reasoning applied to free-text content. The agent parsed and acted upon free-text responses from the target environment — error messages, API responses in unexpected formats, configuration values — in ways that required understanding the content, not just pattern-matching against expected strings. The MinIO XML/JSON adaptation is the clearest example: when the API returned XML, the agent understood the content was structurally equivalent JSON and immediately switched parser logic.

The complete attack chain — step by step

Phase 1: Initial access and credential harvest (Langflow host)

JADEPUFFER’s entry point was CVE-2025-3248 — a missing-authentication flaw in Langflow’s code-validation endpoint that allows any unauthenticated attacker to execute arbitrary Python on the server. This CVE was added to CISA’s Known Exploited Vulnerabilities catalog in May 2025 and patched in Langflow 1.3.0. The targeted server had not applied the patch.

Langflow is an attractive initial access target DataWater documented earlier in July for a specific structural reason: Langflow servers are AI-adjacent infrastructure that frequently hold LLM provider API keys and cloud credentials in their environment, and are often stood up quickly without network controls. JADEPUFFER’s first act upon achieving code execution was systematic credential harvesting — scanning environment variables and configuration files for OpenAI, Anthropic, DeepSeek, and Gemini API keys, Alibaba Cloud, Tencent Cloud, and Huawei Cloud credentials, cryptocurrency wallet files, and database credentials. It found them.

The agent then dumped Langflow’s PostgreSQL database, established persistence via a cron job beaconing to attacker C2 infrastructure every 30 minutes, and enumerated the internal network to identify additional targets. It found a production MySQL server running Alibaba Nacos — a naming and configuration service used to manage service registries and application configuration at scale.

Phase 2: Lateral movement and database extortion (Nacos production server)

The agent connected to the MySQL server as root. The root credentials were not harvested from the Langflow environment — their origin is unknown to Sysdig, indicating either a prior credential compromise by a human operator who pre-positioned them, or a credential sourced through other means before the agent was deployed. From there, JADEPUFFER attacked Nacos simultaneously through three vectors:

  • CVE-2021-29441 — a 2021 Nacos authentication bypass that creates rogue administrator accounts. The agent exploited this, failed on first attempt due to a bcrypt hash generation issue, self-corrected in 31 seconds, and succeeded on the second attempt.
  • JWT signing key forgery — Nacos ships with a well-known default JWT signing key. The agent forged a valid admin JWT using this key. When the response indicated a custom key was in use, the agent abandoned this path immediately rather than retrying — exactly the kind of contextual decision a human threat actor would make.
  • Direct database injection — the agent inserted a backdoor administrator account directly into Nacos’s backing database, bypassing the application authentication layer entirely.

With administrative control established, JADEPUFFER executed the extortion payload: encrypted all 1,342 Nacos service configuration items using MySQL’s built-in AES_ENCRYPT() function, dropped the config_info and config_info_history tables containing the originals, and created a table named README_RANSOM containing the ransom demand, a Bitcoin address, and a Proton Mail contact address. The encryption key was generated randomly, displayed temporarily, and never saved. Even if the victim pays, the data cannot be recovered.

The most consequential detail: the agent ran on stolen compute

Sysdig identified that during the operation, the agent accessed and used API keys belonging to OpenAI, Anthropic, DeepSeek, and Gemini — credentials harvested from the compromised Langflow environment. This is LLMjacking: an attacker using stolen LLM provider credentials to run AI workloads at the victim’s expense. The operational implication is precise and important: JADEPUFFER’s attacker ran a complete ransomware operation at near-zero cost to themselves. The compute cost was billed to the victim organization whose Langflow server they had just compromised.

As Sysdig’s primary writeup states: “The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero.” This is the structural implication that extends far beyond JADEPUFFER as an individual incident. Ransomware-as-a-Service democratized ransomware by removing the need for technical expertise — affiliates could rent the toolkit and split the revenue. Agentic ransomware via LLMjacking removes the need for both technical expertise and upfront capital. The attacker’s cost is a Langflow server on an unpatched CVE, a pre-positioned credential, and an agent configuration.

What JADEPUFFER is not — and why the “first” framing matters carefully

Three important caveats from the research community deserve explicit acknowledgment:

  • A human was still involved. CyberScoop’s reporting on Sysdig’s own Michael Clark is direct: “A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim.” The pre-positioned MySQL root credentials also indicate human involvement in advance access. JADEPUFFER is not a fully autonomous attacker — it is an autonomous attack execution layer operated by a human who set the target and built the infrastructure. This distinction matters for threat modeling: the human is still a required precondition, but the human’s role has shifted from executing the attack to configuring an agent that executes it.
  • The underlying techniques were not novel. CVE-2025-3248 was patched in 2025. CVE-2021-29441 is from 2021. The Nacos default signing key has been a known misconfiguration for years. “None of the individual techniques were novel or sophisticated,” as Sysdig explicitly states. What JADEPUFFER demonstrates is not new attack capability — it is existing, known, long-documented attack capability assembled autonomously by a model that can chain it together without human orchestration.
  • Sysdig is a commercial vendor with a product interest in this narrative. Let’s Data Science notes this directly: “Sysdig is a commercial cloud-security vendor whose products include runtime detection for exactly this kind of activity, and this research doubles as validation for that product category; treat the ‘first-ever’ framing as Sysdig’s own assessment rather than an independent finding.” DataWater treats the technical findings as credible while noting the commercial context of the framing.

Why old vulnerabilities are now more dangerous than ever

The most operationally significant finding from JADEPUFFER is not what it did — it is what it used to do it. Every exploit in the JADEPUFFER chain was years old: a 2025 CVE that was on CISA KEV, a 2021 authentication bypass, a default signing key that has never been rotated on millions of Nacos deployments. The AI agent did not need a zero-day. It needed a target that had not applied patches that have been available for one to five years.

NSFOCUS frames the structural implication: “AI agents make ‘spray-and-pray’ attacks across an entire catalog of historical vulnerabilities virtually costless, meaning the long-tail exposure of unpatched systems will only increase.” The economics of vulnerability exploitation have always favored attackers who could efficiently scan for and exploit the long tail of unpatched known CVEs at scale. AI agents eliminate the human labor cost of that scanning and exploitation — a system that previously required a skilled human to chain together reconnaissance, credential theft, lateral movement, and extortion now requires only an agent configuration and a target. The long tail of CVEs that organizations have not gotten around to patching — the 2021 auth bypass, the 2019 default credential, the 2023 RCE that never made it to a quarterly patch cycle — is now the primary attack surface of an autonomous ransomware economy.

This directly connects to the pattern DataWater has documented all year: Verizon DBIR 2026 found only 26% of CISA KEV vulnerabilities were patched. The 74% that weren’t — the unpatched SharePoints, the Fortinet devices with unchanged credentials, the Nacos servers with default signing keys — are exactly what JADEPUFFER and its successors will target. The exploits don’t need to be new. The targeting infrastructure just needs to be autonomous.

Related DataWater Coverage

Sources and further reading


DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #40 — July 9, 2026. Previous: Bad Epoll CVE-2026-46242 (July 5) · DuneSlide Cursor IDE CVSS 9.8 (July 2) · Six Microsoft Defender Zero-Days (July 1). Browse the full threat brief archive →