Cloud security firm Sysdig has documented what appears to be the first confirmed agentic AI-assisted ransomware attack in the wild, carried out by a threat actor tracked as JadePuffer against an internet-exposed instance of Langflow, a popular open source framework for building LLM-driven agent workflows.
Initial Access via Critical Authentication Bypass
JadePuffer gained entry by exploiting CVE-2025-3248, a critical missing authentication vulnerability in Langflow with a CVSS score of 9.8. The flaw, publicly disclosed in April and flagged by CISA as actively exploited in early May, allows unauthenticated attackers to execute arbitrary Python code on the host running Langflow. Once inside, the attacker did not simply use Langflow as a foothold; they weaponized the platform’s embedded LLM as an autonomous operator.
LLM-Driven Reconnaissance and Credential Harvesting
During the first phase, the LLM agent systematically swept the compromised host for sensitive material, including API keys, cloud credentials, cryptocurrency wallet data, configuration files, and database credentials. It then dumped Langflow’s Postgres database, scanned reachable internal address space and named services, probed for MinIO endpoints to extract additional credentials, and installed a cron job for persistent access. Sysdig observed the LLM adapting its behavior in real time, correcting errors, parsing free-text output from target systems, and adjusting techniques when individual steps failed.
Lateral Movement and Ransomware Deployment
In the second phase, JadePuffer pivoted to a production server running a MySQL database and an Alibaba Nacos configuration platform. Nacos, widely deployed in Alibaba microservice architectures, carries a well-known default JWT signing key that makes token forgery straightforward. The LLM exploited this through multiple vectors simultaneously:
- Exploiting the Nacos authentication bypass family, including CVE-2021-29441
- Forging valid JWT tokens using the default signing key
- Injecting a backdoor administrator account directly into the Nacos backing database via root-level MySQL access
The agent also checked for MySQL User Defined Functions, which can enable OS command execution, before proceeding to encryption. It ultimately encrypted 1,342 Nacos service configuration items and created an extortion table containing a ransom demand, payment address, and contact email. The encryption key was randomly generated and never stored or transmitted, making recovery effectively impossible.
LLM Behavior Confirms Genuine Reasoning, Not Pattern Matching
Sysdig’s analysis of captured payloads found natural-language commentary embedded in each action, a signature of LLM-generated code. Critically, the agent parsed free-text context from target systems and took contextually appropriate actions across multiple sessions weeks apart, behavior consistent with genuine language understanding rather than simple signature matching.
Implications for Defenders
Sysdig concludes that LLM agents materially lower the barrier to complex, multi-stage attacks. The JadePuffer campaign combined well-known exploitation techniques against neglected infrastructure at near-zero cost to the attacker. Security teams should treat exposed application servers, unhardened configuration stores, and internet-facing database administration accounts as primary targets as agentic tooling continues to mature.
