- The first agent ransomware attack has been named JADEPUFFER by Sysdig researchers
- The threat exploited a known vulnerability, adapted to obstacles and targeted Alibaba Nacos
- Unfortunately for victims, paying means nothing as JADEPUFFER cannot backup data.
Has ransomware become self-aware? Sysdig researchers analyzed an attack on an internet-connected Langflow instance and discovered what they believe is the first ransomware infection driven not by a human, but by AI.
As the attack progressed through a vulnerability, it accessed a server, deleted data, overcame challenges, and called home regularly, all controlled not by a remote operator, but by a large language model (LLM).
Dubbed “JADEPUFFER,” the attack appears to signal the direction that extortion-based cybercrime will take, if not for the entire sector, then at least for the cybercrime as a service (CaaS) market. As Sysdig’s conclusion highlights: “It is an indicator of where the art of extortion is headed.”
Fully autonomous hack
Using a code injection attack on a Langflow implementation, Sysdig reported that the attack was fully automated, and after exploiting the vulnerability (CVE-2025-3248), JADEPUFFER searched for credentials for LLM providers, cloud database platforms, and cryptocurrency wallets.
It also collected data from the Postgres database of the Langflow instance and committed several acts of destruction before the Alibaba Nacos (Naming and Configuration Service) and the connected MySQL database were reached.
At this point, the ransomware lawsuit was issued, with 1,342 Nacos configuration items encrypted and crucial database tables deleted. The interesting thing about this is that random encryption was applied, but no backup was made and no key or report was created, so even if the ransom was paid, the data would not be recovered.
(Langflow fixed the vulnerability in April 2025, so this attack could have been prevented if the instance had been patched. Ironically, Langflow is also an AI platform that provides low-code solutions for creating and deploying chatbots, agents, and advanced workflows using AI.)
A new phase in cybersecurity
Security researchers have been searching for agent threat actors (ATAs) for a while now, so the arrival of JADEPUFFER is not entirely unexpected. Basically, its arrival means that anyone can create and operate a ransomware (or other cyber threat) operation, based on intelligent indications and fully automated, low-effort tests in the wild, from which the LLM can learn and improve.
If this truly represents the dawn of a new era of cybersecurity, it’s not all bad news. This incident has demonstrated how LLM-based attacks can be detected.
It used historical vulnerabilities, for example, but the most interesting thing is that this attempt was quite detailed. The Sysdig team noticed that when JADEPUFFER was presented with obstacles to its main goal, it adapted and shared its reasoning.
While this narrative is common among LLMs, other threats are not, offering an advantage in detecting LLM-based threats like JADEPUFFER and the variants that will inevitably appear.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




