Safety

JADEPUFFER is the
first ransomware attack
run end-to-end by
an LLM agent

Sysdig's Threat Research Team documented an autonomous AI operation that exploited a Langflow bug, pivoted to a MySQL server, encrypted 1,342 Nacos configuration records, and wrote its own ransom note — with a human only setting up infrastructure beforehand.

Sysdig’s Threat Research Team has published a forensic account of what it’s calling the first ransomware operation executed end-to-end by an LLM agent, from initial exploit to ransom note. The campaign, which Sysdig has named JADEPUFFER, ran more than 600 coordinated payloads against an internet-facing Langflow instance, pivoted to a downstream MySQL server, encrypted 1,342 Nacos service configuration items, and wrote its own extortion demand. A human set up the scaffolding and picked the target. The agent did everything else.

Initial access came through CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, the open-source framework used to build LLM applications. The agent installed a cron job on the Langflow host to beacon out every 30 minutes, then attempted to escalate by exploiting CVE-2021-29441 to create a rogue administrator account. From there it pivoted into Alibaba’s Nacos configuration service running on MySQL, dropped the original config_info and history tables, encrypted every row with MySQL’s built-in AES_ENCRYPT() function, and staged the demand in a fresh README_RANSOM table pointing to a Proton Mail address and a Bitcoin wallet.

What makes the report distinctive isn’t the technique inventory. It’s the telemetry. Sysdig describes “self-narrating” payloads containing natural-language reasoning, ROI-style target prioritization, and step-by-step annotations “that human operators don’t often write but LLM-generated code produces reflexively.” In one Nacos sequence, only 31 seconds elapsed between a failed login and a working multi-step fix. Michael Clark, director of threat research at Sysdig, told CyberScoop that a human had “set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim.” Beyond that, the agent improvised.

The improvisation is also where the operation reveals itself as sloppy. The ransom note claimed AES-256; Sysdig believes the actual cipher was AES-128-ECB. The encryption key was randomly generated but never stored or transmitted, meaning a paying victim probably couldn’t recover the data even if they wanted to. The Bitcoin address in the note is a well-known example address from public documentation, apparently regurgitated from training data. And the MySQL root credentials the agent used weren’t harvested by the agent at all; they were handed to it, obtained through a prior compromise.

Sysdig couldn’t identify the specific model or read its system prompt. Microsoft researcher Geoff McDonald, posting on LinkedIn, argued the driver was more likely an open-weight model with safety training stripped than a frontier system, based on his own red-teaming of the majors. His sharper point: campaigns of this shape are now bounded by attacker budget rather than human effort, raising the prospect of thousands running in parallel.

Independent researchers told Dark Reading and CSO Online that none of JADEPUFFER’s individual techniques are novel. Johan Edholm, co-founder of Detectify, called the operation “more evolution than invention.” That framing is correct and misses the structural point. The 2017 WannaCry outbreak was also, technique by technique, unoriginal; what mattered was the worm loop that removed the human from the propagation step. JADEPUFFER removes the human from the reasoning step. The ransom note being technically broken isn’t reassurance. It’s a v0.1.

Sources