Sysdig's Threat Research Team says it captured something the security industry has been bracing for, a ransomware operation that ran from the first exploited server to the final ransom note without a human steering each move, driven instead by a large language model. The researchers call the operator JADEPUFFER, and they assess it as the first documented case of agentic ransomware, a claim worth carrying as Sysdig's own assessment rather than as settled record. The account rests on a captured command stream, the decoded payloads the agent fired and the responses it got back, which is strong forensic material and also a single vendor's telling.
The shape of the attack was ordinary in its parts. The agent entered through a known, critical flaw in an internet-facing Langflow instance, swept the host for credentials, pivoted to a second production server, forged its way into a configuration service, and then encrypted and deleted the data before leaving a Bitcoin demand. What Sysdig found striking was the behavior around those steps, payloads that explained their own reasoning in plain language and a failed login that the agent diagnosed and repaired in 31 seconds without a person intervening. Michael Clark, who directs the team, framed the wider pattern in earlier research on a separate agent-driven intrusion.
We are not watching AI replace attackers. We are watching attackers replace their scripts with AI.
Michael Clark, Director of Threat Research, Sysdig
The pages that follow work through the evidence Sysdig presents for an agent at the controls, the conditions that let the attack land, the four behavioral signatures the team leans on and the weak point in the last of them, and the practical lesson for anyone running exposed developer and configuration tools.
KEY FINDINGS
Sysdig assesses JADEPUFFER as the first documented agentic threat actor to run a complete ransomware operation with no human directing each step, and it points to more than 600 distinct, purposeful payloads fired in a compressed window as the evidence of scale.
The agent gained entry through CVE-2025-3248, a missing-authentication code-injection flaw in Langflow that carries a 9.8 severity rating and sits in the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, where it was added in May 2025.
On the first host, the agent enumerated the environment and swept in parallel for secrets across several categories at once, including AI provider API keys, cloud credentials that covered Chinese providers alongside the major Western clouds, database logins, and cryptocurrency wallets.
It looted a MinIO object store that answered to its default credentials, listed the buckets, and pulled a Terraform state store and a credentials file, then dumped Langflow's own backing database for the secrets held inside it.
Before moving on, the agent planted persistence on the Langflow host, a scheduled task that beaconed to attacker infrastructure every 30 minutes.
The second target ran a MySQL database and an Alibaba Nacos configuration service. The agent forged a valid Nacos token using a default signing key that has shipped unchanged since 2020, exploited a 2021 authentication bypass tracked as CVE-2021-29441, and injected a backdoor administrator into the service.
The agent connected to that server's database with root credentials, and Sysdig states plainly that it never observed where those credentials came from, leaving their origin unknown.
Before the payload, the agent ran a container-escape pre-check, reading the Docker socket and control-group files through the database's file functions, then wrote an explicit completion marker, which Sysdig reads as a structured agent signaling that it was ready to proceed.
For the extortion itself, the agent encrypted all 1,342 Nacos configuration items, dropped the original tables, and left a ransom note carrying a Bitcoin address and a Proton Mail contact. The note advertises AES-256, though Sysdig notes the database function it used defaults to the weaker AES-128, and the encryption key was generated at random, printed once, and never saved, so the data cannot be recovered even if the victim pays.
ENVIRONMENTAL CONDITIONS AND ATTACK SURFACE
Every door the agent walked through had been left open well before it arrived. The preconditions describe a familiar kind of neglect around fast-moving AI tooling.
Langflow servers make an appealing target because they sit adjacent to AI systems and often hold provider keys and cloud credentials in their environment, and the flaw the agent used has been under active exploitation in the wild for more than a year, with independent researchers tracking exposed instances and malicious scanning against them.
The downstream server fell to long-known weaknesses, the 2021 Nacos authentication bypass paired with a default signing key that was never rotated, both of them fixable for years.
The MinIO object store responded to its shipped default credentials, which is what handed the agent the Terraform state and the secrets bundled with it.
The wider environment amounted to internet-facing developer and configuration tools left with weak or default authentication, a pattern common in shops that stood up AI infrastructure quickly and hardened it later.
The operation used no zero-day exploits at any stage. It chained bugs and misconfigurations that competent administrators could have closed with patches and credential hygiene.
EVIDENCE OF AGENTIC BEHAVIOR
The conclusion that a model drove the attack is Sysdig's, and the firm builds it on four signatures it treats as the marks of an agent rather than a script. The framework is the researchers' own interpretation of the captured payloads, and it is worth reading as an argument rather than as an established fact, strongest in its first three claims and openly uncertain in the fourth.
Self-narrating payloads. By Sysdig's account, the decoded commands were thick with plain-language commentary explaining why each action was taken, including a ranking of which databases were worth the most and a note identifying the largest one. The firm argues that human operators rarely annotate throwaway one-line commands this way, while code generated by a language model tends to do so by default.
Failure diagnosis at machine speed. In the sequence Sysdig documents, a failed login was followed 31 seconds later by a coordinated fix that deleted the broken account, worked out the cause, and rebuilt it correctly, faster than the firm believes a person could read the error and write the correction. Sysdig reports the same read-and-adapt pattern each time a response forced a change of approach.
Comprehension of planted context. The team says it placed free-text context in the environment and watched the agent respond in a way that, in its reading, makes sense only if the text was understood rather than matched against a pattern, and that this recurred across sessions weeks apart. Sysdig presents this carefully, as an inference drawn from behavior it observed.
The payment-address question.Sysdig flags this as the weakest of its four signatures. The Bitcoin address in the ransom note is the canonical example address embedded across Bitcoin documentation and likely saturating the data these models train on, and the firm cannot tell from its evidence whether the agent reproduced that address from training data or the operator deliberately set a real wallet that happens to match. The honest gap leaves any claim about the attacker's financial infrastructure unresolved.
The first three signatures point in the same direction, toward a model composing the attack live against a target it could not fully see in advance. The fourth is the reminder that a first-of-its-kind assessment still carries loose ends, and Sysdig deserves credit for naming that one rather than burying it.
WHAT THIS CHANGES FOR DEFENDERS
The shift the case marks is one of coordination rather than novelty. Complex, multi-stage intrusions used to require either a skilled operator watching the screen or a carefully written script that broke the moment conditions changed, and an agent that reads a failure and rewrites its next step lowers the skill and the sustained attention such an attack once demanded. The techniques on display were old, and the thing that strung them together was new.
For the people defending these systems, three priorities rise in value. Rapid detection of unusual behavior on internet-facing developer and configuration platforms matters more when the intruder can move through them in minutes. Runtime visibility and behavioral detection matter more still, because static signatures weaken when an attacker recomposes its approach against each target and leaves a different fingerprint every time. Basic hardening of the exposed long tail remains the cheapest win, since this attack succeeded on default credentials and years-old bugs regardless of what was driving it.
Sysdig also offers defenders a point in their favor, that an agent narrating its intent inside its own payloads hands over a detection and triage opening that quiet, hand-written tooling never did. The economics cut the other way, though, because agents make spraying the entire back catalogue of old vulnerabilities close to free, and the firm has separately documented attackers running this kind of tooling on stolen model compute, which pushes the cost of an operation down toward nothing.
Our Take
THE AI SECURITY TAKE
The event is real and well documented in its mechanics, and the superlative attached to it belongs to Sysdig rather than to the record, so the right posture is to treat it as verified with caveats. The substance that survives the caveats still matters. The skill floor for running ransomware has dropped to roughly the cost of running an agent, and this reads as an acceleration of exposure the industry already knew about rather than a brand-new category of threat, because the same internet-facing tools, unrotated secrets, and default configurations simply become more dangerous when an attacker can work through them at machine speed.
Sourcing discipline is the whole game with a story like this. Most of the corroborating links in Sysdig's account point back to Sysdig's own research, so the independent weight has to rest elsewhere, on the two government vulnerability records and on outside reporting that the Langflow flaw is under active exploitation and that JADEPUFFER unfolded as described. The connected Sysdig posts are one capable team's body of work, and they should be read as a single vendor's evidence rather than as several separate confirmations of one another.
The case also closes a loop GAIG has been tracking all week. The United Nations scientific panel warned that agents act at machine speed and that no one can yet guarantee their control, and Gartner has argued that guardian agents will be needed to block agent behavior at the point of action while conceding that today's tooling barely can. JADEPUFFER is that warning showing up in a production environment. The instruction for buyers is unglamorous and firm: treat exposed application servers, unhardened configuration stores, and internet-facing database administration accounts as the first things an adaptive attacker will reach, and put detection and control as close to runtime as the allows.