What happened?
In July 2026, researchers from Sysdig published details of JADEPUFFER, which Sysdig assesses to be the first documented example of an agentic AI-driven ransomware operation, in which an autonomous large language model (LLM) agent performed the intrusion lifecycle autonomously after initial deployment.
The attack began with exploitation of CVE-2025-3248, a critical unauthenticated remote code execution (RCE) vulnerability in Langflow, an open-source framework used to build and orchestrate AI applications. From there, the agent conducted reconnaissance, harvested credentials, searched for sensitive data, enumerated cloud resources and established persistence. Researchers observed the agent adapting its behaviour in real time. Rather than executing predefined commands, it modified requests and adjusted its approach based on system responses.
The intrusion pivoted to a production server running a MySQL database and Alibaba Nacos, an open-source service discovery and dynamic configuration platform. The agent exploited a known Nacos authentication bypass vulnerability (CVE-2021-29441) and leveraged a default JWT signing key to gain administrative access. It then encrypted all 1,342 Nacos service configuration items, deleted the originals and created a ransom note containing a Bitcoin payment address and attacker contact details.
While the attack did not rely on novel exploits, researchers concluded that the level of autonomy demonstrated throughout the intrusion differentiated JADEPUFFER from traditional ransomware operations, demonstrating an AI system capable of independently executing and adapting multiple attack stages that would historically have required direct human oversight.
So what?
The significance of JADEPUFFER is not the ransomware itself, it is what the incident may tell us about the future of cyber threats.
The attack did not rely on a breakthrough exploit or a novel technique. It combined well-known methods: exploitation of a publicly disclosed vulnerability, credential discovery, lateral movement and data encryption. What makes it noteworthy is that an AI agent carried out many of these activities autonomously. It demonstrated that an AI agent can orchestrate existing attack techniques, recover from failures and complete an intrusion without requiring continuous human decision-making.
If this trend continues, it could fundamentally alter the economics of cybercrime. Sophisticated ransomware has historically required skilled operators capable of navigating complex environments and troubleshooting failures. Agentic AI has the potential to automate many of these activities, reducing the expertise required to conduct effective attacks and enabling threat actors to scale operations significantly.
Historically, sophisticated intrusions have been constrained by the availability of experienced operators. Agentic AI has the potential to decouple attacker capability from attacker skill, allowing less experienced threat actors to conduct operations that previously required highly specialised expertise. Over time, this could increase both the volume and sophistication of attacks observed across multiple threat actor groups.
The broader concern is speed. Human attackers are constrained by time, availability and skill. Autonomous agents can operate continuously, analyse information and adapt at machine speed and potentially manage multiple intrusions simultaneously. Organisations may face attacks that move from initial compromise to business impact far faster than current detection and response processes are designed to handle.
JADEPUFFER also reinforces that cyber resilience still depends on security fundamentals. Despite the use of AI, the attack began with an exposed, unpatched system for which a fix was already available. This demonstrates that while threat actor capabilities may evolve, organisations will continue to be compromised through familiar weaknesses: poor attack surface management, unpatched vulnerabilities and excessive privileges.
Strategically, JADEPUFFER may represent the early emergence of what Sysdig describes as "Agentic Threat Actors" (ATAs), AI systems capable of independently conducting offensive cyber operations. If this capability matures, AI-driven agents could become increasingly capable of conducting reconnaissance, exploiting vulnerabilities, escalating privileges and deploying payloads with limited human involvement.
While JADEPUFFER culminated in ransomware deployment, the broader significance extends beyond extortion. The same autonomous capabilities could be applied to cyber espionage, intellectual property theft, cloud compromise, insider threat emulation or disruptive attacks against critical infrastructure. Ransomware is simply one application of a more general capability: autonomous offensive cyber operations.
As offensive AI matures, organisations should expect cyber defence to become increasingly machine-driven. Human analysts alone are unlikely to respond quickly enough to autonomous attacks capable of adapting in real time. Future security operations will increasingly rely on AI-assisted detection, automated containment and autonomous response capabilities to keep pace with machine-speed threats.
What should I do?
Assess your exposure
Identify whether Langflow or similar AI orchestration platforms are deployed in your environment and verify that CVE-2025-3248 has been remediated. Assess whether AI platforms have access to privileged credentials, sensitive data or production systems, and remove unnecessary internet exposure wherever possible.
Strengthen technical controls
Accelerate patching of internet-facing and business-critical systems. Enforce Multi-Factor Authentication (MFA) for privileged accounts, implement network segmentation to limit lateral movement, and ensure logging and monitoring extends to AI platforms, cloud workloads and configuration management systems. Harden Nacos environments by replacing default JWT signing keys and preventing direct database access using root credentials.
Prepare for AI-enabled threats
Update threat models and risk assessments to account for autonomous and AI-assisted attacks. Review incident response plans to ensure they support faster detection and containment and assess whether existing security tooling can identify behavioural anomalies rather than relying solely on known signatures.
Review governance and strategy
Include AI systems within cyber governance and security assurance programmes. Treat AI infrastructure as a critical asset and ensure business leaders understand that AI risk is increasingly a security and resilience issue, not solely a technology issue.
Questions to ask your security team
- Do we know where AI platforms and agents are deployed across the organisation?
- Are these systems included within our vulnerability management and monitoring programmes?
- Can we detect autonomous reconnaissance, credential theft and unusual automation activity?
- How quickly can we identify and contain a compromise affecting critical business systems?