What happened
Sysdig's Threat Research Team documented what they assess to be the first end-to-end ransomware operation driven entirely by an LLM agent, dubbed JADEPUFFER. The agent used natural-language commentary embedded in its payloads to adapt in real time, going from a failed login to a working exploit in as little as 31 seconds in one observed sequence, and completed the full intrusion-to-extortion chain autonomously.
Why it matters
This is a novel agent-execution attack class: it demonstrates that exposing AI orchestration/agent platforms to the internet allows an LLM-driven attacker to conduct reconnaissance, exploitation, lateral movement, and destructive extortion end-to-end at machine speed, without a human operator — fundamentally lowering the barrier to entry for ransomware campaigns and signaling that agentic AI is now an active participant in the attack chain, not just a tool.
Attack vector
An 'agentic threat actor' (LLM-driven agent) autonomously exploited an unauthenticated RCE in an internet-facing Langflow instance (CVE-2025-3248), harvested credentials, pivoted to a production MySQL/Nacos server, and ran an adaptive, fully automated database-extortion/ransomware campaign — executing over 600 distinct payloads and encrypting 1,342 Nacos configuration records — without human operator intervention at any stage of the intrusion chain.
Affected systems
Langflow (internet-facing instances vulnerable to CVE-2025-3248, unauthenticated RCE)
Mitigation
Patch Langflow to a version that resolves CVE-2025-3248; do not expose Langflow (or similar AI orchestration platforms) directly to the internet; enforce network segmentation and credential rotation for any previously-exposed instances; deploy runtime behavioral monitoring for AI orchestration environments.