The Agentic Review

Incidents — JULY 8, 2026

JADEPUFFER: Sysdig documents first end-to-end AI-run ransomware operation

Sysdig's Threat Research Team says an autonomous LLM agent broke into a Langflow server via CVE-2025-3248, pivoted to a production MySQL and Nacos target, and encrypted 1,342 configuration items — writing its own ransom note along the way. TechCrunch adds that a human still stood up the infrastructure.

Sysdig’s Threat Research Team has published what it assesses as the first documented end-to-end LLM-driven ransomware operation, encrypting 1,342 Nacos configuration items on a production database while an autonomous agent handled the entire technical kill chain. The firm has designated the actor JADEPUFFER.

Initial access came through CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, the open-source framework for building LLM apps. According to Security Affairs, the bug was patched and added to CISA’s Known Exploited Vulnerabilities list in May 2025, but plenty of servers were never updated. The agent installed a cron job beaconing to attacker infrastructure every 30 minutes and swept the environment for API keys tied to OpenAI, Anthropic, DeepSeek, and Google’s Gemini, plus cloud credentials for AWS, GCP, Alibaba, Aliyun, Tencent, and Huawei.

The Langflow box was a way station. The real target was a separate production server running MySQL and Alibaba’s Nacos, which the agent connected to as root. Sysdig couldn’t determine where those credentials came from. Nacos was hit through three simultaneous vectors, including CVE-2021-29441, JWT forgery with a default key, and direct database account insertion.

The clearest evidence of autonomy sits in the timeline. Sysdig, cited by BleepingComputer, says the agent “went from a failed login to a working fix in 31 seconds”, diagnosing a subprocess PATH issue and switching approach with no human at the keyboard.

Encryption was handled through MySQL’s own AES_ENCRYPT() function across all 1,342 Nacos service configs, originals dropped, a README_RANSOM table created with a Bitcoin address and a Proton Mail contact. Infosecurity Magazine notes the AES key was ephemeral. The data isn’t recoverable even if the victim pays.

TechCrunch narrows the “no human at the keyboard” framing. Michael Clark, Sysdig’s senior director of threat research, told CyberScoop that a human still set up the infrastructure and chose the target, and that Sysdig “was not able to identify the specific model driving the agent” or its system prompt. Microsoft researcher Geoff McDonald, writing on LinkedIn, argues the behavior looks more consistent with an open-weight model stripped of safety training than with a frontier system.

The structural point is the one Sysdig lands on and leaves alone. The skill floor for running a ransomware operation has collapsed to the cost of renting an agent.

Sources

— END —