The Agentic Review

Incidents — JULY 7, 2026

JADEPUFFER: AI agent ran a full ransomware operation end-to-end, Sysdig says

The Sysdig Threat Research Team says an LLM chained reconnaissance, lateral movement, and destruction against a production database — a July 6 TechCrunch follow-up clarified a human still chose the victim and stood up the infrastructure.

Sysdig’s Threat Research Team says it’s documented what it believes is the first ransomware operation driven end-to-end by a large language model, an intrusion it’s calling JADEPUFFER. The agent handled reconnaissance, credential theft, lateral movement, persistence, and encryption of a production database, adapting to failures in real time and leaving behind a ransom note with a Bitcoin address and a Proton Mail handle.

Initial access came through CVE-2025-3248, the missing-authentication flaw in Langflow, the open-source framework for building LLM applications. The agent used it to run arbitrary Python on an internet-facing host, dump a PostgreSQL database, scrape environment variables and provider API keys, enumerate a MinIO object store, and install a cron job that beaconed to attacker infrastructure every 30 minutes. Root credentials of unclear origin then let it pivot to a production MySQL server running Alibaba’s Nacos configuration service, where it exploited CVE-2021-29441 to create a rogue admin. It encrypted 1,342 Nacos configuration items with MySQL’s AES_ENCRYPT(), dropped the originals, and inserted a README_RANSOM table. The key was never stored or transmitted, so recovery isn’t possible.

Sysdig points to four lines of evidence for LLM authorship across more than 600 captured payloads, including self-narrating scripts and a 31-second window between a failed Nacos login and a correct multi-step fix.

The tell that the operator wasn’t quite as autonomous as the framing suggested came from the ransom note itself: the Bitcoin address is the sample wallet from Bitcoin’s own developer documentation, a string that saturates model training data.

In a July 6 TechCrunch follow-up, Michael Clark, senior director of threat research at Sysdig, tempered the “no human at the keyboard” reading. He said “a human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim.” The database credentials, Clark added, came from a prior compromise and were handed to the agent. Harvested API keys for OpenAI, Anthropic, DeepSeek, and Gemini were loot, not evidence of what powered the intrusion. Sysdig can’t identify the model and has no visibility into its system prompt.

What JADEPUFFER actually demonstrates, then, isn’t a machine that decided to extort anyone. It’s the ransomware-as-a-service business model with the mid-tier operator replaced by an API call.

Sources

— END —