- The first agent ransomware attack has been dubbed JADEPUFFER by researchers at Sysdig
- The threat exploited a known vulnerability, adapted to obstacles, and targeted an Alibaba Nacos
- Unfortunately for victims, paying means nothing as JADEPUFFER fails to back up the data
Has ransomware become self-aware? Sysdig researchers have analyzed an attack on an internet-facing Langflow instance and discovered what they believe is the first ransomware infection powered not by a human, but by AI.
As the attack progressed via a vulnerability, it gained access to a server, removed data, overcame challenges, and called home regularly—all controlled not by a remote operator, but by a large language model (LLM).
Dubbed “JADEPUFFER,” the attack appears to point to the direction of extortion-based cybercrime – if not for the entire sector, then certainly for the cybercrime-as-a-service (CaaS) market. As emphasized in Sysdig’s conclusion: “It is a marker of where extortion is heading.”
Fully autonomous hack
Using a code injection attack on a Langflow deployment, Sysdig reported that the attack was fully automated, and after exploiting the vulnerability (CVE-2025-3248), JADEPUFFER sought credentials for LLM providers, databases, cloud platforms, and cryptocurrency wallets.
It also harvested data from the Langflow instance’s Postgres database and performed various destruction operations before reaching the intended Alibaba Nacos (Naming and Configuration Service) and connected MySQL database.
At this point, the ransomware claim was issued, with 1,342 Nacos configuration items encrypted and important database tables dropped. The interesting thing about this is that random encryption was used, but no backup was made and no key or report was created – so even if the ransom was paid, the data would remain unbacked.
(Langflow patched the vulnerability in April 2025, so this attack could have been avoided if the instance had been patched. Ironically, Langflow is also an AI platform that provides low-code solutions for building and deploying chatbots, agents, and advanced workflows using artificial intelligence.)
A new phase in cyber security
Security researchers have been on the lookout for Agentic Threat Actors (ATAs) for a while now, so the arrival of JADEPUFFER is not entirely unexpected. Its arrival essentially means anyone can set up and run a ransomware (or other cyber threat) operation, relying on intelligent prompts and low-stakes, fully automated testing in the wild that LLM can learn and improve.
If this does indeed represent the dawn of a new age of cyber security, it’s not all bad news. This incident has shown how LLM-based attacks can be detected.
For example, it used historical vulnerabilities, but the most interesting thing about it is that this attempt was quite extensive. The Sysdig team noted that when JADEPUFFER was presented with obstacles to its primary goal, it adapted and shared its rationale.
While this narrative is common among LLMs, other threats do not do this, giving an advantage in detecting LLM-based threats like JADEPUFFER and the variants that will inevitably emerge.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



