News

Researchers Document First Fully Autonomous AI-Driven Ransomware Attack

Cloud security firm Sysdig has disclosed what its Threat Research Team describes as the first documented ransomware operation carried out end-to-end by an autonomous AI agent, with no human typing commands or directing individual steps once the attack was underway. The firm named the threat actor JADEPUFFER and published its technical analysis between July 4 and July 6.

According to Sysdig, JADEPUFFER gained initial access through an internet-facing instance of Langflow, an open-source framework that developers use to build AI applications and agent workflows. The entry point was CVE-2025-3248, a missing-authentication flaw that allows an unauthenticated attacker to run arbitrary Python code on the host. The vendor patched the flaw in Langflow 1.3.0, and the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities list in May 2025, meaning the vulnerability itself was neither new nor secret at the time of the attack.

Once inside, the agent enumerated the host and swept the environment for secrets across multiple categories at once, including application programming interface keys for OpenAI, Anthropic, DeepSeek and Google, cloud credentials spanning Amazon Web Services, Google Cloud, Microsoft Azure and several Chinese providers, cryptocurrency wallet seed phrases, and database credentials. It dumped Langflow's backing Postgres database, found a MinIO object storage service still running with its factory-default credentials, and installed a crontab entry that beaconed to the attacker's infrastructure every 30 minutes to maintain persistence. From there, it used harvested credentials to reach a separate, internet-exposed production server running MySQL and Alibaba's Nacos configuration platform, exploiting a 2021 authentication bypass and forging a token with a default signing key publicly known since 2020.

How the attack worked

JADEPUFFER behaved like an autonomous hacker. It broke into one vulnerable server, stole credentials, used them to break into two more systems, and when it hit a roadblock, it figured out what went wrong and changed tactics on its own, without any human directing it.

The important part isn't that it found new vulnerabilities. It used known weaknesses that organizations should already have fixed. What makes it notable is that the AI agent could plan, adapt, troubleshoot, and continue the attack by itself, much like an experienced penetration tester, but with malicious intent.

The most notable evidence of autonomous operation, according to Sysdig, came when an early attempt to insert a backdoor administrator account into Nacos failed a login check. Thirty-one seconds later, without any human intervention, the agent diagnosed the cause as a subprocess path issue that prevented the password hash from being generated correctly, switched its method, and completed the task. The agent went on to encrypt 1,342 Nacos configuration records and leave a ransom note. Sysdig said it could not determine which underlying AI model powered the agent, and that the payloads contained natural language reasoning and self-narration typical of large language model output rather than a fixed, pre-scripted toolkit.

Michael Clark, senior director of threat research at Sysdig, said in the company's published analysis that none of the individual techniques used in the attack were novel or sophisticated. The significance, Sysdig said, lies in the fact that an AI agent strung a complete extortion operation together on its own against neglected, internet-facing infrastructure. Reporting from TechCrunch noted that a human was involved in the attack's initial setup, a distinction the outlet said was important for separating JADEPUFFER from a fully hands-off attack, even as the bulk of the technical execution proceeded independently once launched.

JADEPUFFER follows a documented escalation in AI-linked cyber incidents over the past year. Anthropic disclosed in November 2025 what it called a largely autonomous cyberattack, a state-linked espionage campaign in which its Claude Code tool handled an estimated 80 to 90 percent of tactical operations with minimal human direction. Cybersecurity firm HiddenLayer's newly published 2026 AI Threat Landscape Report found that autonomous AI agents now account for roughly 1 in 8 reported AI-related security breaches, and that 76 percent of organizations surveyed cited unmanaged or unauthorized internal AI use as a growing risk.

For enterprise technology teams, JADEPUFFER's relevance has less to do with the sophistication of the attack and more to do with what it reveals about exposure. The agent succeeded entirely by chaining previously known, individually patchable weaknesses: an unpatched framework, default credentials on an object storage service, and a years-old authentication bypass on a configuration platform. Organizations running AI orchestration tools such as Langflow, or similar developer-facing frameworks that hold API keys and cloud credentials by design, are now facing the same exposure calculus long applied to continuous integration systems and secrets managers, according to researchers at the Cloud Security Alliance who reviewed the incident. The case also illustrates that the technical skill required to run a complete ransomware operation has dropped substantially, since an agent can now perform each stage without an operator possessing deep expertise in any single one.

In response to the broader trend, several AI developers have moved to tighten oversight of their own systems. Anthropic has expanded cyber-focused safety classifiers in its models, OpenAI has made a cybersecurity-oriented version of its models available through a partner platform, and Google has continued developing an automated vulnerability-scanning tool. Security researchers expect continued disclosures on JADEPUFFER's technical methods as the investigation proceeds, along with growing pressure on AI developers to build mandatory human-confirmation steps into agent actions involving credential access, lateral movement or data destruction.

About the Author

John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].

Featured