JadePuffer Becomes First AI-Driven Ransomware to Run Attacks Without Human Help
Security researchers at Sysdig identified JadePuffer in July 2026, the first documented ransomware to use an AI agent to carry out an entire cyberattack without human direction. The agent exploited a known vulnerability in the Langflow framework, then moved through a target network, stole credentials, and encrypted database records on its own.

Security researchers at Sysdig identified JadePuffer in July 2026, calling it the first documented ransomware to use an autonomous AI agent to carry out an end-to-end attack without human direction.
The agent exploited CVE-2025-3248, a critical remote code execution vulnerability in Langflow, an open-source framework for building AI applications. Once inside a target system, the agent scanned for environment variables, cloud credentials from AWS, GCP, Azure, and Chinese providers, LLM API keys, and cryptocurrency wallets.
The agent then pivoted to a production server running MySQL and the Alibaba Nacos configuration service. It bypassed Nacos authentication using known vulnerabilities and default JWT signing keys, injected a backdoor administrator account, encrypted 1,342 Nacos configuration items using MySQL's AES_ENCRYPT function, and dropped entire database schemas.
Sysdig identified four markers confirming the attack was driven by an AI agent rather than a human or fixed script. The attack code contained natural language comments explaining the agent's reasoning. When a login attempt failed, the agent diagnosed the issue and deployed a corrected payload within 31 seconds. The agent parsed free-text information and XML and JSON schemas in real time, adjusting its logic when it encountered unexpected formats. It also executed a structured plan with completion markers signaling readiness to move between attack phases.
Security experts say the incident compresses the time defenders have to respond. Traditional human-led incident response models are increasingly insufficient when an attacker operates at machine speed and self-corrects in real time.
Researchers recommend behavior-based detection, strict egress controls, and removing secrets from runtime environments. Organizations using AI orchestration tools like Langflow should treat them as critical infrastructure requiring rigorous hardening and monitoring.


