Researchers at Sysdig have identified a ransomware campaign they are calling JadePuffer, which they describe as the first documented case of an attack carried out entirely by an autonomous large language model (LLM) agent. The agent handled every phase of the intrusion without apparent human intervention, including reconnaissance, credential theft, lateral movement, privilege escalation, persistence, and encryption.

Initial Access and Reconnaissance

JadePuffer gained its foothold by exploiting CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, an open-source framework for building LLM applications. The vendor patched the flaw on April 1, 2025, and CISA flagged it as actively exploited in early May of the same year. Internet-exposed Langflow deployments are commonly under-hardened and frequently hold cloud credentials and API keys, making them attractive targets.

Once inside, the agent dumped Langflow’s PostgreSQL database, collected host metadata, searched for sensitive environment variables and files, retrieved credentials, and enumerated a MinIO object store. Sysdig noted that the agent adjusted its parsing logic on the fly: when one API request returned XML instead of the expected JSON, the following payload corrected its approach automatically.

Persistence, Lateral Movement, and Escalation

The agent installed a cron job on the compromised Langflow host configured to beacon back to attacker infrastructure every 30 minutes. It then pivoted to a production MySQL server running Alibaba Nacos, a naming and configuration service, using root credentials whose origin Sysdig could not determine. Against Nacos, the agent deployed multiple payloads including one exploiting CVE-2021-29441, an authentication bypass that creates rogue administrator accounts. The agent also probed for container escape opportunities before deploying its ransomware payload.

Encryption and Extortion

JadePuffer encrypted 1,342 Nacos service configuration items using MySQL’s built-in AES_ENCRYPT() function, dropped the original configuration and history tables, and created an extortion table named README_RANSOM containing a ransom demand, a Bitcoin payment address, and a Proton Mail contact address. The ransom note claims AES-256 encryption, but Sysdig assessed the actual implementation as more likely AES-128-ECB. Notably, the encryption key was randomly generated and neither stored nor transmitted, meaning recovery would be impossible without attacker cooperation. The Bitcoin address included in the note is a widely reproduced example address from public documentation, suggesting the LLM reproduced it from training data rather than supplying an operational wallet.

Indicators of Autonomous Operation

Sysdig identified several characteristics consistent with LLM-driven execution rather than a human operator:

  • Natural-language comments embedded in generated code describing operational reasoning step by step.
  • Rapid, context-aware iteration: in one sequence the agent moved from a failed login attempt to a working correction in 31 seconds.
  • Adaptive error handling that refined parameters based on specific failures rather than issuing blind retries.

Implications for Defenders

Sysdig concludes that JadePuffer marks the arrival of what it terms “agentic threat actors,” lowering the technical barrier to conducting sophisticated, multi-stage attacks. At the same time, the researchers note that LLM-generated payloads carry distinctive artifacts, including verbose inline comments and structured reasoning traces, that create new detection opportunities for endpoint and cloud security tooling. Organizations running internet-exposed Langflow or Nacos instances should treat patching CVE-2025-3248 and auditing stored credentials as immediate priorities.