A ransomware operation almost always has a human somewhere in the loop, writing the script if not typing the commands. JADEPUFFER did not. Security firm Sysdig's Threat Research Team published its analysis on July 1, describing an intrusion an AI agent drove by itself, from the break-in to the ransom note. What makes it alarming is not that the machine was brilliant. It is that the machine was careless: it encrypted a live database with a key it printed to the screen once and then threw away. There is nothing to sell back, and paying buys the victim nothing at all.
That one detail changes what a ransomware alert means when a model, not a person, is holding the keyboard. Here is what happened, and why the reflex response to it does not fit.
What Sysdig watched an AI agent do
The way in was old and familiar. CVE-2025-3248 lets an attacker run Python on a Langflow server, the open-source builder for language-model apps, with no login at all. Langflow shipped a fix in version 1.3.0, and CISA flagged the bug as actively exploited back in May 2025. The agent found a Langflow instance sitting on the public internet and walked straight in.
From there it worked like a tireless junior operator. It swept the host for secrets: keys for OpenAI, Anthropic, DeepSeek and Gemini; cloud credentials for Alibaba, Tencent, Huawei, AWS, Google and Azure; cryptocurrency wallet seed phrases; and database logins. It planted a scheduled task to call out to its command server every 30 minutes. Then it pivoted to a separate MySQL and Alibaba Nacos configuration server, abused a 2021 authentication bypass (CVE-2021-29441) alongside a default signing key that Nacos has shipped unchanged since 2020, and forged itself an administrator session.
It then scrambled all 1,342 of the Nacos server's configuration entries, dropped database tables, and left behind a note it called README_RANSOM. The clearest fingerprint of the operator was the code itself. Sysdig counted more than 600 separate payloads, each carrying plain-English comments about why the agent was making each move. Throwaway human attack scripts do not narrate their own reasoning like that.
The ransom was theater
Here is the part the novelty headlines skated past. The agent locked those 1,342 entries with a key built from two random values, showed it on screen once, and then let it vanish. Sysdig is blunt about the result: with no stored copy of the key, the victim cannot get those settings back even by paying. The extortion had no working decryption step at any point.
The rest of the shakedown was just as hollow. The agent's own comments claimed it had already copied the databases to a staging server, yet Sysdig saw no sign any data actually left the network. That line was a note the model wrote to itself, not proof of exfiltration. The wallet in the ransom note is the example pay-to-script-hash address that appears all over Bitcoin's own developer docs, which strongly suggests the model lifted it from training data rather than a wallet the attacker controls. Strip off the branding and this was not ransomware. It was a wiper with a payment page bolted onto the front.
That is the practitioner lesson hiding under the "first AI ransomware" banner. When a model runs the attack, competence is not a given, and an incompetent encryptor destroys data instead of holding it hostage. You cannot assume a key exists to buy, you cannot assume the "we have your files" threat is real, and you cannot treat backups as optional because the actor "only wants money." An agent-driven encryption event should be handled as possible permanent loss from the first minute. We made a related point when Prinz Eugen shipped with no ransom note at all: the drift is toward destruction dressed in ransomware's clothes.
Why an indicator list will not catch the next one
Classic detection leans on indicators: this file hash, that IP address, this filename. JADEPUFFER breaks that model without even trying to. Because a language model wrote the payloads live, they were fresh and self-correcting. When one attempt to plant a backdoor admin account tripped over a path problem, the agent worked out two causes at once and pushed a working 15-line fix in 31 seconds. The command server, the staging host, even the ransom wallet, may all be different or invented on the next run.
So the durable signal is not the artifact. It is the behavior. A process spawned by your Langflow service that starts reading credential files, a configuration server that suddenly re-encrypts every entry it holds, an internal host calling home on a fixed 30-minute timer: those patterns hold no matter what strings the model dreams up. Runtime behavioral detection is the layer that survives an attacker who rewrites its own tooling in the middle of the incident. Signature matching is not. It is the same gap we flagged when ransomware moved inside the browser tab, where on-host file scanners could not see it run.
The Langflow you forgot is still the front door
The quietly important fact is the CVE number. JADEPUFFER needed no fresh zero-day. It reused CVE-2025-3248, a flaw more than a year old with a patch and a KEV listing long in place. We have written up Langflow's exposure more than once, from a rigged document that turned its file reader into server access to an account that could run every other user's workflows. The specific bug keeps changing. What stays constant is that Langflow, and tools like it, sit exposed on the internet holding exactly the credentials an attacker wants, often with no network controls in front of them.
That is why exposed AI-orchestration infrastructure is turning into prime initial-access real estate. It is a code-execution surface that doubles as a credential vault, and the year-old bug is enough to open it. An AI agent that trusts its own host is a recurring theme in our coverage. JADEPUFFER is the version where the agent works for the attacker and the host it trusts is yours.
Pull the credentials off your AI servers
The fixes here are ordered by payoff, and only the first one is about the CVE.
-
Take Langflow off the public internet and move to 1.3.0 or later. The RCE is old and patched, so an exposed, unpatched instance is an open door. If it does not need to face the internet, it should not.
-
Remove provider and cloud API keys from the Langflow host. The whole first stage of this attack was a credential sweep. An AI-orchestration box should not double as a wallet for your OpenAI, Anthropic, AWS and Alibaba keys. Keep them in a secrets manager and scope them tightly.
-
Change the Nacos
token.secret.keydefault, and keep Nacos and database admin accounts off the internet. The 2020-era default signing key made the token forgery trivial. Rotate it, and put the config store and databases behind the network boundary. -
Watch runtime behavior and control egress. Alert on a Langflow process reading credential files, on mass re-encryption of a config store, and on fixed-interval outbound callbacks. Egress filtering that stops a compromised host from reaching an external staging server would have blocked the claimed exfiltration outright.
The headline writes itself as a milestone: machines can now run ransomware end to end. The more useful reading is quieter. This agent was fast, adaptive and destructive, and also unreliable enough that its own extortion did not function. Plan for both halves. Assume the next automated intruder is quick and improvising, and assume it may wreck what it cannot ransom.