Vulnerability  ·  2026-07-13

JADEPUFFER — First Documented Fully Autonomous Agentic Ransomware Attack

VulnerabilityHigh impactGlobalCVE-2025-3248
Sysdig's Threat Research Team documented what they assess to be the first end-to-end ransomware operation driven entirely by an LLM agent, dubbed JADEPUFFER. The agent used natural-language commentary embedded in its payloads to adapt in real time, going from a failed login to a working exploit in as little as 31 seconds in one observed sequence, and completed the full intrusion-to-extortion chain autonomously.
This is a novel agent-execution attack class: it demonstrates that exposing AI orchestration/agent platforms to the internet allows an LLM-driven attacker to conduct reconnaissance, exploitation, lateral movement, and destructive extortion end-to-end at machine speed, without a human operator — fundamentally lowering the barrier to entry for ransomware campaigns and signaling that agentic AI is now an active participant in the attack chain, not just a tool.
An 'agentic threat actor' (LLM-driven agent) autonomously exploited an unauthenticated RCE in an internet-facing Langflow instance (CVE-2025-3248), harvested credentials, pivoted to a production MySQL/Nacos server, and ran an adaptive, fully automated database-extortion/ransomware campaign — executing over 600 distinct payloads and encrypting 1,342 Nacos configuration records — without human operator intervention at any stage of the intrusion chain.
Langflow (internet-facing instances vulnerable to CVE-2025-3248, unauthenticated RCE)
Patch Langflow to a version that resolves CVE-2025-3248; do not expose Langflow (or similar AI orchestration platforms) directly to the internet; enforce network segmentation and credential rotation for any previously-exposed instances; deploy runtime behavioral monitoring for AI orchestration environments.
Sysdig via securityonline.infoCSO OnlineDark Reading
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →