The Agentic Review

Incidents — JULY 7, 2026

JADEPUFFER: Sysdig documents first ransomware operation run end-to-end by an LLM agent

The agent breached a Langflow server, pivoted to a MySQL and Alibaba Nacos target, and encrypted 1,342 configuration records — firing more than 600 distinct payloads and self-correcting a failed login in 31 seconds.

The Sysdig Threat Research Team has published what it describes as the first documented ransomware operation executed end-to-end by an LLM agent, tracked as JADEPUFFER, from a late-June 2026 intrusion that fired more than 600 distinct payloads before dropping a ransom note into its victim’s database.

Initial access came through CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, the open-source framework for building LLM applications. Every payload was delivered as Base64-encoded Python through the Langflow RCE endpoint. The agent handled reconnaissance itself: it dumped the PostgreSQL database, rifled the MinIO object store, harvested provider API keys for OpenAI, Anthropic, DeepSeek and Gemini, and installed a cron job that beaconed to attacker infrastructure every 30 minutes.

From there it pivoted to a production MySQL server running Alibaba Nacos, escalating via CVE-2021-29441, a Nacos authentication bypass that spawns rogue administrator accounts. The root credentials used for the pivot weren’t lifted by the agent. According to Sysdig senior director of threat research Michael Clark, speaking to TechCrunch, they were supplied from a prior compromise. A human still provisioned the command-and-control server, staging infrastructure and victim selection.

The agentic behavior is what makes the case notable. When a Nacos backdoor deployment failed, the agent read the error, switched from subprocess calls to direct library imports, and redeployed. The gap was 31 seconds.

“The model closed loops that used to require a skilled human,” Clark told CyberScoop.

The ransomware itself is where the seams show. The agent encrypted all 1,342 Nacos service configuration items using MySQL’s AES_ENCRYPT(), dropped the original config_info and history tables, and created a README_RANSOM table with a Bitcoin address and a Proton Mail contact. Sysdig assessed the actual cipher as AES-128-ECB rather than the AES-256 claimed in the note. The encryption key was never stored or transmitted, so payment couldn’t recover the data. The Bitcoin address matches an example widely used in public documentation, likely hallucinated from training data. Sysdig couldn’t identify the model driving the agent.

“The skill floor for running a full ransomware operation just dropped to whatever it costs to run an agent,” Clark said.

The 2017 NotPetya episode taught defenders that ransomware whose keys don’t exist is still ransomware in effect. JADEPUFFER extends the lesson: competence at the intrusion layer no longer implies competence at the extortion layer, because the two are now written by different authors.

Sources

— END —