JadePuffer: The First Ransomware Attack Run by an AI Agent
6 July 2026 · 8 min read
For as long as ransomware has existed, there has been a human at the keyboard. Someone picked the target, tested stolen credentials, wrote the scripts and fixed things when they broke. In early July 2026, that stopped being the only model.
On July 1st, the threat research team at Sysdig published an analysis of an operation they named JadePuffer. It is the first documented case in which the entire tactical execution of an attack, from initial access to data destruction and the delivery of a ransom note, was carried out by an AI agent built on a large language model. Not a script a human wrote in advance, but a system that made its own decisions, adapted to obstacles and corrected its own mistakes in real time.
If you run a small or mid-sized business, this is not science fiction and it is not a big-enterprise problem. It is an early warning that directly concerns anyone with anything exposed to the internet.
What actually happened
The attack started in a way that is, unfortunately, completely ordinary. An instance of Langflow, a popular open-source framework for building AI applications, was sitting exposed on the internet. It carried a known vulnerability, CVE-2025-3248, published more than a year earlier, which lets an unauthenticated attacker execute arbitrary code on the host.
Once inside, the agent did what an experienced human attacker would do, only faster. It enumerated the system, searched the environment for secrets and found them: API keys for multiple AI services, cloud credentials, database access data. It dumped the Postgres database backing the Langflow instance and probed which internal services it could reach. For persistence, it installed a cron job that beaconed back to the attacker's infrastructure every 30 minutes.
The Langflow server was never the real target. From there, the agent pivoted to a production server running a MySQL database and the Alibaba Nacos configuration service. It attacked Nacos through a combination of old weaknesses: CVE-2021-29441, an authentication bypass published back in 2021, and a default JWT signing key that nobody had ever changed.
The finale was destructive. The agent encrypted all 1,342 Nacos configuration items, dropped the original tables and created a ransom table in the database containing the demand, a Bitcoin address and a contact email.
The 31 seconds that change everything
The most important detail in the entire analysis is not any single technique. Everything JadePuffer did has been known for years. The most important detail is the speed of adaptation.
At one point the agent tried to create a rogue administrator account on the Nacos server. The first attempt failed. The agent read the error, changed its approach, generated a corrected payload and logged in successfully. From failure to working fix took 31 seconds.
An experienced human operator needs several minutes at best for the same cycle of reading the error, diagnosing, fixing and retrying. Over the course of the operation, the agent executed more than 600 distinct, purposeful payloads within a compressed time window. No human can match that tempo.
For defenders this means one thing: the time you have to notice an intrusion and respond is shrinking dramatically. An attack that used to take hours or days can now play out in minutes.
An important nuance: the human has not disappeared
It is only fair to say what the sensational headlines leave out. The human was not removed from this story entirely. According to Sysdig researchers, a human operator still set up the infrastructure, the command-and-control server, the staging server for stolen data, and chose the victim. The root credentials for the MySQL server were also not stolen from the victim's environment, which suggests the operator obtained them through a prior compromise.
What was autonomous was the tactical execution. And that is exactly the point. Until recently, an attack like this required a team of skilled people. Today it takes one operator of average skill and an AI agent. The skill floor for running a complete ransomware operation has dropped to whatever it costs to run an agent. And if that agent runs on stolen API keys, the cost is close to zero.
Why paying would not have helped
There is one more detail every business owner should remember. The key the agent used to encrypt the data was generated randomly, printed once to the console and never stored or transmitted anywhere. In other words, the victim's data is unrecoverable even if the ransom had been paid.
With classic ransomware, the attacker wants to get paid, so it is in their interest that decryption works. With a poorly configured autonomous agent, the destructive phase can execute without anyone having designed a recovery process. For the victim the outcome is worse: no negotiation, no decryption, only restoration from backup.
If the backup does not exist, or exists but has never been tested, the story ends there.
What this means for your business
JadePuffer did not attack a multinational with a dedicated security team. It attacked neglected, internet-exposed infrastructure with years-old vulnerabilities and unchanged default settings. Exactly the kind of infrastructure a large share of small and mid-sized businesses run today.
Every entry point in this attack comes down to a failure of basic hygiene: a service exposed to the internet that did not need to be exposed, a vulnerability more than a year old left unpatched, secrets and passwords stored where they should not be, default credentials nobody changed, privileged accounts with no restrictions at all.
None of these things require expensive security software. They require discipline and someone who looks after the infrastructure systematically.
Five steps to take right now
- Inventory what you have exposed to the internet. You cannot defend what you do not know exists. Every externally reachable service must have a reason to be reachable.
- Patch known vulnerabilities. JadePuffer got in through a flaw published a year earlier and moved further through a flaw from 2021. Attackers do not wait for new holes while old ones stand open.
- Change every default credential and key. A default password or a factory signing key is the same thing as an unlocked door.
- Get secrets out of configurations and environments. API keys and passwords stored in environment variables and config files are the first prize of any intrusion. Use a dedicated secrets management system.
- Test your backups, not just that they exist, but that you can actually restore from them. In a world where paying the ransom guarantees nothing, a verified backup with immutable copies kept outside production is the only real insurance policy.
Machine-speed attacks demand systematic defense
If attacks now arrive at machine speed, defense that consists of occasional intervention when something breaks is no longer defense. What is needed is a system: a regular inventory of exposed infrastructure, patching discipline, monitoring that notices unusual behavior, and a backup architecture that survives the worst case.
That is exactly the logic behind our INTO Secure service. We do not sell fear, we sell discipline: documented, verifiable and sized for your business. If you want to know how your infrastructure would hold up against a scenario like this one, contact us for a security assessment.
Source: analysis by the Sysdig Threat Research Team, published July 1, 2026.
Want this handled, without the drama?
INTO MSP runs security, backup and IT for small and mid-size companies. Step one is a short, no-obligation review.
IT Security → Contact