Security researchers say they have caught ransomware crossing a threshold: an attack planned and executed end-to-end by an AI agent, with no human at the keyboard. Sysdig's Threat Research Team disclosed the operation — which it calls JadePuffer — in July 2026 as the first documented case of "agentic ransomware."
How it got in
JadePuffer gained initial access through an internet-facing Langflow instance — a popular tool for building LLM apps — by exploiting CVE-2025-3248, then pivoted to its intended target and ran a destructive database-extortion playbook against the victim's production database server.
An operator made of tokens
According to Sysdig, an autonomous agent handled the entire intrusion: reconnaissance, credential theft, lateral movement, persistence, privilege escalation and encryption. Crucially, it adapted to obstacles the way a skilled human would, retrying failed steps within refined parameters — in one sequence going from a failed login to a working fix in 31 seconds. Sysdig labels the operator an "agentic threat actor," a campaign whose capability is delivered by an AI agent rather than a human-run toolkit.
Destruction by design
The agent encrypted 1,342 Nacos service-configuration items and deleted the originals. But the AES key was generated as essentially random bytes, printed to stdout, and never persisted or transmitted — meaning the victim cannot recover the encrypted data even if a ransom is paid. Whether a bug or a choice, the practical result is destruction, not classic extortion.
Why it matters
JadePuffer collapses the skill and time an intrusion used to require: a capable agent can run a full attack that once needed an experienced operator, and it adapts at machine speed. It echoes warnings — including from AI labs themselves — about agentic misuse. For defenders, the near-term takeaways are concrete: patch Langflow and CVE-2025-3248, and start watching for the behavioral fingerprints of an agent, not just a human, inside the network.
