JADEPUFFER is the first agentic ransomware operation and it exposes old security sins at machine speed

Security firm Sysdig reports an extortion attack where a language model broke in, stole credentials, and destroyed databases without any human at…

By AI Maestro July 6, 2026 3 min read
JADEPUFFER is the first agentic ransomware operation and it exposes old security sins at machine speed

Security firm Sysdig reports an extortion attack where a language model broke in, stole credentials, and destroyed databases without any human at the controls.

Ransomware has always been a hands-on job. A person planned the attack, picked targets, and wrote the scripts. According to a report from the threat research team at cloud security firm Sysdig, an AI agent has now taken over that entire role for the first time. The researchers named the attacker JADEPUFFER and call it an “agentic threat actor” whose attack capability comes from an AI model, not a person.

The initial entry came through a known vulnerability (CVE-2025-3248) in Langflow, a widely used tool for building AI applications. The flaw lets attackers run their own code on the server without a password. Langflow had already patched it in April 2025, meaning a fix had been available for over a year. Shortly after, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its catalog of actively exploited vulnerabilities, effectively an official warning to update immediately.

In this case, the patch was never applied. The agent exploited the flaw and worked its way forward from that first server. It collected credentials, set up persistent access, and eventually hit a separate production server running a MySQL database, the actual target.

The machine corrected itself in 31 seconds

The most convincing evidence that no human was typing, according to Sysdig, comes down to a single moment. The agent tried to create an admin account. The login attempt failed. Thirty-one seconds later, it sent a corrected command that diagnosed the error, deleted the broken account, and built a working one from scratch.

A human reading an error message, figuring out the cause, and writing a new script would take much longer, the researchers say. Another tell was that the AI-generated code included natural-language comments explaining why it wanted to delete a particular database first. Human attackers almost never write comments like that, according to Sysdig. AI models do it reflexively.

The agent ended up encrypting 1,342 configuration entries and deleting the original tables. The ransom note demanded Bitcoin and listed a Proton Mail address. But the decryption key was only displayed once and never saved or sent anywhere. Paying the ransom would not have recovered the data. The Bitcoin address itself turned out to be a well-known example address from developer documentation, likely pulled straight from the model’s training data.

Old mistakes, machine speed

None of the individual techniques were new. The attack exploited long-known vulnerabilities and weak default passwords. What is new is that an AI model chained all of it together into a complete extortion operation on its own. That drops the barrier for ransomware to the cost of running an AI agent. No independent confirmation from the victim, law enforcement, or other security firms exists so far. Sysdig also sells products designed to detect exactly these kinds of automated attacks.

Shane Barney, chief information security officer at Keeper Security, gave a sober assessment to Hackread. He said JADEPUFFER should be read less as science fiction and more as a credential management failure at machine speed. The deciding factor was not novel attack techniques. It was exposed secrets, unchanged default passwords, wide-open privileged access, and no real-time monitoring of active sessions.

Barney pointed to a Keeper study finding that 72 percent of organisations cannot detect credential misuse in real time and often do not notice unauthorised privileged access until hours after it starts. That gap gets dangerous when an AI agent can go from a failed login to a working admin account in under a minute.

Barney’s takeaway is direct. Privileged access needs to be time-limited and scoped to individual tasks. Secrets belong in protected vaults with regular rotation. And sessions need to be monitored while they are active, not after the damage is done.

Scroll to Top