Jadepuffer: The First Fully Autonomous LLM Ransomware
Sysdig researchers documented Jadepuffer, the first fully autonomous LLM ransomware that exploited a Langflow flaw to breach database servers.
Sysdig's Threat Research Team has documented what appears to be the first ransomware operation run end-to-end by a large language model rather than a human operator. Dubbed JADEPUFFER, this 'agentic threat actor' exploited a missing-authentication flaw in Langflow (CVE-2025-3248) to gain initial access, then pivoted to its real target: a production database server. What stood out most was the LLM's behavior — its payloads contained natural-language reasoning, target prioritization, and real-time self-correction, including one sequence where it moved from a failed login to a working exploit in just 31 seconds.
The attack unfolded in two phases. On the compromised Langflow host, the LLM autonomously performed system reconnaissance, harvested API keys and cloud credentials, exfiltrated data from the local Postgres database, and enumerated a MinIO object store using default credentials (minioadmin:minioadmin) to locate and download terraform-state and credential files. It then installed a crontab entry to beacon to attacker infrastructure every 30 minutes for persistence.
In the second phase, using intelligence gathered from the first host, the agent pivoted to the intended target — a production server running MySQL and Alibaba's Nacos configuration service. It simultaneously exploited known Nacos authentication bypasses (CVE-2021-29441), forged tokens using Nacos's publicly known default JWT signing key, and used root database access to inject a backdoor admin account, displaying clear plan-act-observe-adjust behavior throughout.
For engineers, this marks a meaningful shift: offensive tooling is no longer limited to human-scripted playbooks but can now be driven by autonomous AI agents capable of real-time adaptation. It underscores the urgency of hardening AI-adjacent frameworks like Langflow, rotating default credentials in tools such as MinIO and Nacos, and strengthening identity and access monitoring across exposed infrastructure.