JADEPUFFER: The LLM That Ran a Full Ransomware Attack by Itself
Researchers at Sysdig's Threat Research Team published what they describe as the first documented end-to-end ransomware operation driven autonomously by a large language model agent. They named it JADEPUFFER. The attack ran from initial network exploitation through credential theft, lateral movement, privilege escalation, database encryption, and ransom note delivery — with no human directing individual steps after the target was selected and the infrastructure was set up.
The entry point was CVE-2025-3248 (CVSS 9.8 Critical), an unauthenticated remote code execution flaw in Langflow, an open-source platform for visually composing AI-powered workflows. The /api/v1/validate/code endpoint passed user-supplied code directly into Python's exec() function with no authentication check and no sandboxing. If you could reach the API, you could run arbitrary code on the host. That endpoint has been on CISA's Known Exploited Vulnerabilities catalog since May 5, 2025, with a mandatory federal remediation deadline of May 26, 2025. JADEPUFFER showed up targeting organizations that still hadn't patched.
Step by Step: How the Agent Worked
Once the LLM agent had code execution on the Langflow host, it ran a methodical sweep. It harvested API credentials for OpenAI, Anthropic, DeepSeek, and Gemini. It grabbed cloud access keys for AWS, GCP, Azure, and several additional cloud platforms. It pulled cryptocurrency wallet keys and seed phrases. It dumped Langflow's own PostgreSQL database. It probed a connected MinIO object store using default credentials. Before pivoting anywhere, it installed a cron job to beacon out to attacker infrastructure every 30 minutes — persistence first, then lateral movement.
From there it moved to a production server running MySQL alongside Alibaba Nacos, a configuration management service common in microservices architectures. It exploited a second vulnerability there: CVE-2021-29441, a 2021 Nacos authentication bypass that allows an attacker to create rogue administrator accounts. The agent also attempted JWT forgery and database injection against Nacos for good measure.
When an initial login attempt failed, the agent self-corrected — in 31 seconds. It deleted the bad account, regenerated the credentials correctly, recreated the administrator account, and verified the login before continuing. Then it encrypted all 1,342 Nacos service configuration records using MySQL's built-in AES_ENCRYPT() function, dropped the original configuration and history tables entirely, and created a new table named README_RANSOM containing a Bitcoin address and a Proton Mail contact. Over 600 distinct payloads were executed across the whole operation.
What "Autonomous" Actually Means Here
The claim of full autonomy deserves a footnote. As CyberScoop noted alongside Sysdig's own analysis: a human operator was involved in the preconditions — setting up command-and-control infrastructure, selecting the victim, and provisioning credentials obtained from prior compromises. What the LLM agent handled independently was the entire attack execution: reconnaissance, credential harvesting, pivoting, privilege escalation, encryption, and generating the ransom note. No one was steering each step at the keyboard once the operation began.
That's the meaningful shift. Previous AI-adjacent attacks, including earlier campaigns where Claude Code was used as an attack assistant, still required a human to direct the AI at each stage. JADEPUFFER's agent planned and carried out a multi-phase intrusion sequence on its own. That's different in kind, not just degree — and the 31-second self-correction loop illustrates why: the agent detected failure, diagnosed it, and fixed it without being told to.
The Detail That Changes the Calculus
There is a grim technical wrinkle that complicates the ransomware framing. The encryption key — generated randomly from two concatenated UUID bytes — was printed to stdout during the operation and never stored, transmitted to the attacker, or persisted anywhere. Paying the ransom listed in the README_RANSOM table would not have decrypted a single record. The data was gone whether you paid or not.
Researchers flag this as either an LLM error — the model didn't understand that functional ransomware requires key escrow — or evidence that destruction was the actual goal and extortion was theater. Both interpretations are troubling. It also means the only realistic recovery path for the victim was a verified backup. There was no other option.
Who Is Exposed
If your organization runs Langflow on any network-accessible host, CVE-2025-3248 is your immediate concern. All Langflow versions prior to 1.3.0 are vulnerable. The patch has been available since March 2025. CISA listed this in its KEV catalog in May 2025. Organizations still running an older version are vulnerable to the exact initial access vector used here.
Beyond Langflow specifically, JADEPUFFER is a case study in a broader exposure class: developer and AI orchestration tooling — workflow builders, configuration services, experiment environments — often runs on servers with privileged access to production databases and cloud credentials, while authentication and network segmentation get deprioritized because the tool is treated as "internal only." Nacos was reachable and capitulated via CVE-2021-29441, a vulnerability disclosed in 2021 and still unpatched in the target environment.
What to Do Now
- Patch Langflow immediately. Any instance older than version 1.3.0 must be updated or taken offline. Confirm the
/api/v1/validate/codeendpoint requires authentication on your installation. - Patch Nacos. CVE-2021-29441 is five years old. If you run Nacos without authentication or network controls, treat it as compromised until patched and hardened.
- Rotate credentials broadly. JADEPUFFER swept for API keys (OpenAI, Anthropic, AWS, GCP, Azure) and cryptocurrency wallet seeds stored anywhere on reachable hosts. Secrets in environment files, config tables, and Langflow workflow definitions are all targets.
- Audit MinIO and similar object stores for default credentials. The agent gained access to MinIO using factory defaults — an attack vector that persists because "it's only internal."
- Network-segment AI and developer tooling. Any internal tool with access to production data or cloud credentials should not be directly internet-reachable. Put authentication and network controls in front of it.
- Test your restores. Because JADEPUFFER dropped the original database tables, encrypted data could not be recovered from the encrypted version alone. A verified, recent backup was the only exit. If you haven't tested a full database restore recently, this week is a good time.
JADEPUFFER won't be the last agentic attack — it will be the template. The fact that the encryption key went missing and the operation was partly self-defeating doesn't reduce the threat; it just means the next iteration will fix that bug. At Falcon Internet, verifiable off-site restores are part of the runbook for exactly this reason: when the ransomware is broken by design and there's no key to negotiate over, backups are the only conversation that matters.