AI Agent JADEPUFFER Runs First End-to-End Ransomware Attack via Langflow RCE
Security firm Sysdig has uncovered what it calls the first ransomware campaign executed end-to-end by an AI agent, tracked as JADEPUFFER. A large language model handled every stage of the operation: exploiting an unpatched vulnerability for initial access, harvesting credentials and cloud keys, moving laterally through the network, and ultimately encrypting and destroying a production database. The incident marks a significant escalation in AI-enabled cybercrime, where the operator skill required drops to nothing more than renting an agent capable of chaining together offensive steps.
The attack began with CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source framework for building AI applications and agent workflows. The vulnerability allowed unauthenticated remote code execution on any reachable Langflow server, and was patched in version 1.3.0 and added to CISA's Known Exploited Vulnerabilities catalog in May 2025. Many instances were never updated, leaving them exposed on the public internet, often storing API keys for OpenAI, Anthropic, DeepSeek, and Gemini, along with cloud credentials for Alibaba, Tencent, AWS, Google, and Azure. Once inside, the agent enumerated the host, exfiltrated secrets, and raided a MinIO storage server using the factory-default credentials (minioadmin:minioadmin) that had never been rotated. It also established persistence by scheduling a callback task to the attacker's infrastructure every 30 minutes.
Pivoting to an internet-facing MySQL server running Alibaba's Nacos service discovery platform, the agent authenticated as root and then compromised Nacos itself using CVE-2021-29441, a 2021 authentication bypass, combined with a default signing key Nacos has shipped unchanged since 2020. The agent created a new admin account, encrypted all 1,342 Nacos configuration entries, dropped the original database tables, and left a ransom note demanding Bitcoin with a Proton Mail contact address. Crucially, the encryption key was generated randomly, printed once to the terminal, and never persisted or transmitted, meaning there is no key to recover even if the victim pays. The note claims AES-256 encryption, though Sysdig noted the underlying tool defaults to weaker AES-128. The agent then deleted additional databases and left a comment claiming the data had already been exfiltrated elsewhere, suggesting the ransom demand was pure destruction dressed up as extortion.
The JADEPUFFER incident illustrates how quickly AI-driven attacks can compress entire kill chains into autonomous workflows. Defenders should immediately audit any internet-exposed Langflow instances, confirm they are running 1.3.0 or later, and rotate any credentials that may have been stored on them. Organizations should also scan their public attack surface using a port scanner to identify exposed services like Langflow, Nacos, and MinIO, and run a credential exposure check against any secrets harvested from compromised hosts. Default credentials on ancillary services like MinIO, unchanged for years, remain a recurring weak point that automated agents can exploit in seconds.