Sysdig’s Threat Research Team has published findings documenting what it describes as the first recorded case of genuinely agentic ransomware — an attack operation in which a large language model agent autonomously executed every technical phase of a ransomware campaign from initial access through database encryption and ransom note delivery, adapting in real time to obstacles without human guidance at each step. The operation, named JadePuffer by Sysdig researchers, took place in late June 2026 and has attracted widespread attention across the security community for what it signals about the future of ransomware tradecraft.
What JadePuffer Did
JadePuffer gained initial access by exploiting CVE-2025-3248, a critical code injection vulnerability in Langflow — a widely used open-source framework for building LLM-driven applications — that had been patched in April 2025 but remained unpatched on the victim’s internet-exposed instance. Once inside, the agent began autonomous post-exploitation operations that required no human instruction at each subsequent step.
The agent scanned the compromised Langflow host for valuable credentials: AI provider API keys from OpenAI, Anthropic, DeepSeek, and Gemini; cloud service credentials; cryptocurrency wallet files; and database configuration data. It enumerated the internal network, probed services using default credentials, accessed a MinIO object storage instance using the default minioadmin credentials, selectively exfiltrated sensitive files, and installed a crontab persistence mechanism. It then connected to the victim’s production MySQL database and a publicly exposed Alibaba Nacos configuration service.
The final phase encrypted over 1,300 configuration records and generated a self-authored ransom note, including a Bitcoin address for payment. The AI agent ran more than 600 distinct, purposeful payloads in rapid succession throughout the operation.
The 31-Second Adaptation
The detail that has most captured the security community’s attention is the speed with which the agent diagnosed and corrected an error during the Nacos exploitation phase. When an initial request returned an XML response instead of the expected JSON format, the agent read the error message, switched its approach from subprocess calls to direct library imports, and redeployed a corrected payload — all within 31 seconds. This adaptation cycle is dramatically faster than a human operator could achieve and illustrates the core economic shift that agentic AI creates in offensive operations.
What This Actually Means for Defenders
Sysdig’s Michael Clark is careful to contextualise the finding: a human was still involved in setting up infrastructure, selecting the target, and providing pre-compromised database credentials that the agent itself did not steal. JadePuffer is not fully autonomous in the absolute sense. But Clark’s assessment of the security implication is direct: the skill floor for running a complete ransomware operation has dropped to the cost of running an AI agent. The individual techniques were not novel — old Nacos authentication bypasses, default credentials, unpatched known vulnerabilities. What is new is the ability to chain them all into a complete end-to-end operation without a skilled human in the execution loop.








