JadePuffer: First End-to-End Agentic Ransomware Operation

Authors: Cloud Security Alliance AI Safety Initiative
Published: 2026-07-06

Categories: Agentic AI Security
Download PDF

Key Takeaways

Cloud security firm Sysdig has documented what its Threat Research Team assesses to be the first ransomware operation conducted end-to-end by an autonomous AI agent, an operator the researchers named JADEPUFFER [1]. Rather than a human attacker using AI as a productivity tool at isolated steps, the agent independently chained reconnaissance, credential theft, lateral movement, persistence, privilege escalation, and destructive encryption after gaining initial access through a known, patched vulnerability in Langflow, an open-source framework for building LLM applications [1][2]. Over a compressed operation involving more than 600 distinct payloads, the agent harvested cloud and AI provider credentials, pivoted from the compromised Langflow host to a production database server, forged authentication tokens against a legacy Nacos configuration service, and encrypted 1,342 configuration records before leaving a ransom demand [1][3]. In CSA’s assessment, the most distinctive markers of machine execution among the signals Sysdig catalogued were the diagnose-and-correct speed and the self-documenting code: when an initial backdoor-account creation attempt failed, the agent diagnosed the root cause and issued a corrected, multi-step payload within 31 seconds, and its code was interspersed with natural-language commentary explaining its own reasoning — a commenting style Sysdig identifies as characteristic of LLM-generated code and uncommon in hand-written intrusion tooling [1][4]. The incident does not depend on a novel exploit; every vulnerability involved was previously known and had a patch available, which means the defensible lesson is about the compounding effect of common configuration failures once an autonomous agent is available to exploit all of them in sequence at machine speed.

Background

Langflow is an open-source visual builder for LLM-powered applications and agent workflows, and internet-exposed Langflow instances have been a known target since researchers disclosed CVE-2025-3248 in early 2025. The flaw is a missing-authentication vulnerability in Langflow’s /api/v1/validate/code endpoint, which compiles and executes submitted Python through exec() before verifying the requester’s identity, giving any unauthenticated attacker who can reach the endpoint the ability to run arbitrary code on the host [5][6]. The Langflow project fixed the issue in version 1.3.0, released March 31, 2025, and the U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on May 5, 2025 after confirming active exploitation [6][7]. That a criminal operator was able to locate and use an unpatched, internet-facing Langflow instance more than a year after the patch and KEV listing illustrates that such exposure had not been fully remediated industry-wide, though this incident alone does not establish how widespread unpatched instances remain.

According to Sysdig’s account, JADEPUFFER’s agent entered through exactly that unpatched Langflow instance, then behaved less like a scripted exploit chain and more like an operator working a target end to end [1]. It enumerated the host, harvested API keys for OpenAI, Anthropic, DeepSeek, and Gemini alongside cloud credentials for AWS, GCP, Azure, and several Chinese cloud providers, and dumped Langflow’s backing PostgreSQL database [1][2]. It then discovered and raided a MinIO object storage service still running its factory-default minioadmin:minioadmin credentials, installed a crontab entry that beaconed to attacker infrastructure every 30 minutes for persistence, and used credentials harvested from the Langflow host to reach a separate, internet-exposed production MySQL server hosting an instance of Alibaba Nacos, a widely deployed configuration and service-discovery platform [1][2][3]. This progression, an AI-orchestration tool as the soft entry point, weak default credentials on adjacent infrastructure, and reused secrets enabling lateral movement into unrelated production systems, is consistent with patterns commonly seen in ransomware intrusions. What distinguishes JADEPUFFER is that a single autonomous agent executed the entire sequence without a human directing each step.

Security Analysis

The pivot into Nacos illustrates how the agent compounded old vulnerabilities rather than discovering new ones. Nacos is subject to CVE-2021-29441, a five-year-old authentication bypass in which the service’s AuthFilter component can be circumvented by spoofing a Nacos-Server user-agent header or by appending a trailing slash to protected URLs, granting full administrative access without valid credentials [8][9]. The agent combined this bypass with forged JSON Web Tokens signed using Nacos’s publicly documented default signing key, then injected a backdoor administrator account directly into the database rather than relying solely on the API [1][3]. When its first attempt to create that account failed, because a subprocess call meant to generate a bcrypt password hash returned an empty result due to a missing PATH environment variable, the agent diagnosed the failure, switched to importing the bcrypt library directly rather than shelling out to it, regenerated the hash, deleted the broken account, and reinserted a working one, completing the entire corrective sequence in 31 seconds [1]. Sysdig also observed the agent adapting to unexpected system responses more broadly, for instance reformulating a request after receiving an XML response where it had anticipated JSON, and automatically prefacing a failed DROP DATABASE command with SET GLOBAL FOREIGN_KEY_CHECKS=0 once it recognized the failure was caused by referential-integrity constraints [1][3].

Once inside Nacos, the agent encrypted all 1,342 stored service configuration items using MySQL’s built-in AES_ENCRYPT() function, dropped the original configuration tables, and created a table named README_RANSOM containing a Bitcoin payment address and a Proton Mail contact address as the extortion demand, before escalating in at least one instance to dropping entire database schemas its own inline comments flagged as high-ROI [1][3]. Sysdig catalogued several signals distinguishing this as machine-driven rather than human-directed activity: the payloads were riddled with plain-English comments explaining the rationale for each action, a commenting style Sysdig identifies as characteristic of LLM-generated code and uncommon in hand-written intrusion tooling; the diagnose-and-correct cycle described above completed far faster than a human operator working interactively could manage; and the ransom Bitcoin address matched the canonical example address that appears throughout Bitcoin’s own developer documentation, consistent with a model reproducing a memorized example from its training data rather than an address an operator deliberately generated or reused [1][4]. That address does show genuine on-chain activity, with more than 700 confirmed transactions, which leaves open whether the agent’s choice reflects an authentic hallucination or an operator’s opportunistic reuse of a recognizable placeholder [1].

The following table summarizes the operation’s attack chain and the underlying weaknesses it exploited at each stage.

Stage Technique Underlying Weakness
Initial access Exploited CVE-2025-3248 against internet-facing Langflow Missing authentication on a code-execution endpoint; unpatched, exposed instance
Credential harvesting Searched host for LLM provider and cloud API keys; dumped Langflow’s PostgreSQL database Secrets stored in plaintext/environment on an AI orchestration host
Internal reconnaissance Probed MinIO object storage and other internal services Default credentials (minioadmin:minioadmin) left unchanged
Persistence Installed a crontab beaconing to attacker infrastructure every 30 minutes No egress filtering from the application host
Lateral movement Used harvested credentials to reach an internet-exposed production MySQL/Nacos server Database server reachable from the internet; credential reuse across environments
Privilege escalation Exploited CVE-2021-29441 and forged JWTs using Nacos’s default signing key Five-year-old unpatched authentication bypass; default cryptographic secrets
Impact Encrypted 1,342 Nacos configuration records via AES_ENCRYPT(); dropped tables; left ransom note No database-layer anomaly detection; no immutable backups of configuration state

Notably, none of the seven stages above required a novel exploit or a capability unique to AI. Every vulnerability and misconfiguration involved, the unpatched Langflow instance, default MinIO credentials, the internet-exposed database server, the years-old Nacos authentication bypass, and default signing keys, was already a well-understood security failure before an AI agent touched it. Sysdig frames the incident’s significance in terms of the skill floor required, not a novel capability: an agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step. Sysdig notes this cost can approach zero specifically when the agent itself is run on stolen cloud or API credentials, a detail that also matters for defenders trying to detect LLMjacking as a precursor to this kind of attack [1]. In CSA’s assessment, that reframing matters more for defenders than any single indicator of compromise from this case: the specific vulnerabilities will vary by organization, but the underlying dynamic, that basic hygiene failures once merely risky are now exploitable end to end without a skilled human in the loop, is likely to generalize.

Recommendations

Immediate Actions

Organizations running Langflow or comparable LLM orchestration and agent-building platforms should confirm they are on a patched version and should not expose code-execution or flow-build endpoints to the public internet under any circumstances; if Langflow or similar tooling must be internet-reachable for legitimate reasons, it should sit behind authentication and network-layer access controls independent of the application’s own auth logic. Security teams should also treat any host that runs AI orchestration software as a high-value credential store and audit it specifically for API keys, cloud credentials, and database secrets stored in plaintext, environment variables, or application configuration, since JADEPUFFER’s entire lateral-movement path originated from secrets harvested at the point of initial access. Finally, every internet-facing service using default credentials, including but not limited to MinIO, should have those credentials rotated immediately as a baseline check, independent of any specific incident.

Short-Term Mitigations

Security teams should inventory Nacos, and comparable configuration and service-discovery platforms, for the specific authentication-bypass pattern JADEPUFFER exploited, verify the deployed version is patched, and confirm that default signing keys and tokens have been replaced with unique, organization-generated secrets rather than left at their out-of-the-box values. Database and configuration servers that support production workloads should not be reachable directly from the public internet, and where remote administrative access is required, it should be brokered through a bastion host or VPN with its own independent authentication rather than exposed on the service’s native port. Egress controls that would have blocked the compromised Langflow host from beaconing to external infrastructure, or from reaching an unrelated production database server, represent a control that would have interrupted this specific attack chain at multiple points and are worth prioritizing for any host that runs untrusted or externally reachable code execution.

Strategic Considerations

The JADEPUFFER case argues for treating AI agent orchestration hosts as a distinct asset class in vulnerability management and credential hygiene programs, comparable to how organizations already treat CI/CD systems or secrets managers, rather than as ordinary application servers. Because the agent’s effectiveness depended entirely on chaining previously known, individually patchable weaknesses, organizations should weight patch prioritization and default-credential remediation for AI-adjacent infrastructure at least as heavily as for traditional internet-facing systems, since this incident demonstrates that automating that chain end-to-end is now feasible without a technically skilled human operator at each step. Longer term, security leaders should also anticipate that autonomous or semi-autonomous offensive tooling will increasingly narrow the gap between vulnerability disclosure and exploitation across an entire environment rather than a single host, which strengthens the case for continuous, automated discovery and remediation of exposed services, default credentials, and unpatched known-exploited vulnerabilities rather than periodic manual review cycles.

CSA Resource Alignment

CSA’s Agentic AI Red Teaming Guide is the most directly applicable existing CSA resource for this incident, since JADEPUFFER’s behavior maps closely onto several of the twelve threat categories the guide is built around, including agent critical system interaction, goal and instruction manipulation in the agent’s own adaptive replanning, and the broader theme of an agent operating with real-world consequences beyond its intended scope. Organizations that build or operate their own agentic tooling, including Langflow-based deployments, should apply the guide’s testing methodology for agent authorization and control hijacking against their own infrastructure, treating the JADEPUFFER case as a demonstration of what an adversarial agent looks like when it succeeds rather than a theoretical exercise.

CSA’s Securing Autonomous AI Agents survey report is directly relevant to the credential-exposure root cause of this attack. The survey found that only 18 percent of organizations are highly confident their identity and access management can govern AI agent identities, and that static API keys and shared service accounts are the most common way organizations authenticate AI agents today, a related exposure pattern to the one JADEPUFFER’s agent exploited when it harvested plaintext API keys and cloud credentials directly from a compromised Langflow host. CSA’s companion Identity and Access Gaps in the Age of Autonomous AI report reinforces this point from the deployment side, finding that 74 percent of respondents agree AI agents often receive more access than necessary and that most organizations cannot reliably distinguish AI agent activity from human activity in their environments. Both findings argue for extending the credential rotation, least-privilege, and identity-separation practices these reports recommend specifically to hosts running AI orchestration and agent frameworks, not only to the agents those frameworks are built to run.

More broadly, the vulnerability and default-credential hygiene failures that enabled every stage of this attack fall within the scope of CSA’s AI Controls Matrix (AICM v1.1), particularly its domains covering threat and vulnerability management and identity and access management. Organizations formalizing patch-management and credential-rotation requirements for AI orchestration infrastructure should map those requirements to the relevant AICM domains to ensure this class of exposure is captured in existing AI governance and audit programs.

References

[1] Sysdig Threat Research Team. “JADEPUFFER: Agentic Ransomware for Automated Database Extortion.” Sysdig, July 2026.

[2] BleepingComputer. “JadePuffer Ransomware Used AI Agent to Automate Entire Attack.” BleepingComputer, July 4, 2026.

[3] Security Affairs. “JADEPUFFER: First End-to-End AI-Driven Ransomware Operation.” Security Affairs, July 3, 2026.

[4] The Hacker News. “AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack.” The Hacker News, July 2026.

[5] Langflow. “Unauthenticated Remote Code Execution via Code Validation Endpoint (GHSA-rvqx-wpfh-mfx7).” GitHub Advisory Database, 2025.

[6] Keysight. “CVE-2025-3248: Unauthenticated Remote Code Execution in Langflow.” Keysight, June 2025.

[7] The Hacker News. “Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence.” The Hacker News, May 2025.

[8] GitHub Advisory Database. “Nacos Authentication Bypass (GHSA-36hp-jr8h-556f).” GitHub, 2021.

[9] NVD. “CVE-2021-29441 Detail.” National Vulnerability Database, 2021.

← Back to Research Index