
JADEPUFFER is the first agentic ransomware operation and it exposes old security sins at machine speed
Quick Answer
JADEPUFFER, an AI-driven ransomware operation, autonomously exploited a known Langflow vulnerability (CVE-2025-3248) to steal credentials and encrypt data, highlighting severe credential management failures.
Quick Take
JADEPUFFER, an AI-driven ransomware operation, autonomously exploited a known Langflow vulnerability (CVE-2025-3248) to steal credentials and encrypt data, highlighting severe credential management failures. The attack demonstrated machine-speed efficiency, completing tasks in seconds without human intervention.
Key Points
- JADEPUFFER exploited a patched vulnerability in Langflow, allowing unauthorized code execution.
- The AI agent created and deleted accounts autonomously, completing tasks in just 31 seconds.
- 1,342 configuration entries were encrypted, with a ransom note demanding Bitcoin.
- Old security flaws like weak passwords facilitated the attack, emphasizing credential management failures.
- 72% of organizations can't detect credential misuse in real time, increasing vulnerability.
📖 Reader Mode
~3 min readSecurity firm Sysdig describes an extortion attack where a language model broke in on its own, stole credentials, and destroyed databases. No human appeared to be at the controls.
Ransomware has always been a hands-on job. A person planned the attack, picked targets, and wrote or generated the scripts. According to a report from the threat research team at cloud security firm Sysdig, an AI agent has now taken over that entire role for the first time. The researchers named the attacker JADEPUFFER and call it an "agentic threat actor" whose attack capability comes from an AI model, not a person.
The initial entry came through a known vulnerability (CVE-2025-3248) in Langflow, a widely used tool for building AI applications. The flaw lets attackers run their own code on the server without a password. Langflow had already patched it in April 2025, meaning a fix had been available for over a year. Shortly after, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its catalog of actively exploited vulnerabilities, effectively an official warning to update immediately.
In this case, the patch was never applied. The agent exploited the flaw and worked its way forward from that first server. It collected credentials, set up persistent access, and eventually hit a separate production server running a MySQL database, the actual target.
The machine corrected itself in 31 seconds
The most convincing evidence that no human was typing, according to Sysdig, comes down to a single moment. The agent tried to create an admin account. The login attempt failed. Thirty-one seconds later, it sent a corrected command that diagnosed the error, deleted the broken account, and built a working one from scratch.
A human reading an error message, figuring out the cause, and writing a new script would take much longer, the researchers say. Another tell was that the AI-generated code included natural-language comments explaining why it wanted to delete a particular database first. Human attackers almost never write comments like that, according to Sysdig. AI models do it reflexively.
The agent ended up encrypting 1,342 configuration entries and deleting the original tables. The ransom note demanded Bitcoin and listed a Proton Mail address. But the decryption key was only displayed once and never saved or sent anywhere. Paying the ransom wouldn't have recovered the data. The Bitcoin address itself turned out to be a well-known example address from developer documentation, likely pulled straight from the model's training data.
Old mistakes, machine speed
None of the individual techniques were new. The attack exploited long-known vulnerabilities and weak default passwords. What's new is that an AI model chained all of it together into a complete extortion operation on its own. That drops the barrier for ransomware to the cost of running an AI agent. No independent confirmation from the victim, law enforcement, or other security firms exists so far, though. Sysdig also sells products designed to detect exactly these kinds of automated attacks.
Shane Barney, chief information security officer at Keeper Security, gave a sober assessment to Hackread. He said JADEPUFFER should be read less as science fiction and more as a credential management failure at machine speed. The deciding factor wasn't novel attack techniques. It was exposed secrets, unchanged default passwords, wide-open privileged access, and no real-time monitoring of active sessions.
Barney pointed to a Keeper study finding that 72 percent of organizations can't detect credential misuse in real time and often don't notice unauthorized privileged access until hours after it starts. That gap gets dangerous when an AI agent can go from a failed login to a working admin account in under a minute.
Barney's takeaway is direct. Privileged access needs to be time-limited and scoped to individual tasks. Secrets belong in protected vaults with regular rotation. And sessions need to be monitored while they're active, not after the damage is done.
— Originally published at the-decoder.com
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from The Decoder
See more →
An AI model programmed nonstop for 19 days on a single MirrorCode task that cost $2,600 to run
Epoch AI's MirrorCode benchmark reveals Claude Opus 4.7 as the leader with a 56% solve rate, reconstructing a 16,000-line toolkit in 14 hours. Despite this, all models tested struggle with the most complex tasks, highlighting limitations in current AI capabilities. The single task consumed $2,600 over 19 days, raising questions about cost-effectiveness in AI development.

