JadePuffer: First Documented Ransomware Attack Run End-to-End by an AI Agent

Sysdig researchers found JadePuffer, a ransomware operation where an autonomous LLM agent handled recon, credential theft, lateral movement, and encryption without a human operator.

Threat Intelligence Incident Response Vulnerability

Security firm Sysdig has documented what researchers believe is the first fully AI-agent-orchestrated, end-to-end ransomware attack. Dubbed JadePuffer, the operation gained initial access by exploiting a known Langflow vulnerability (CVE-2025-3248) in the victim’s internet-facing AI-agent-building platform, then handed the rest of the intrusion to a large language model agent rather than a human operator.

From that foothold, the agent independently performed reconnaissance, harvested credentials, moved laterally across the network, established persistence, escalated privileges, and encrypted data for extortion — the full attack chain a skilled human operator would normally execute manually. Researchers noted the agent adapted to failures in near real time: in one observed sequence, it went from a failed login attempt to a working alternate approach in 31 seconds, mirroring how a human operator troubleshoots and retries.

The significance isn’t technical sophistication — none of the individual techniques are novel — it’s deskilling. An attacker no longer needs deep expertise at every stage of an intrusion; the agent supplies the judgment and persistence that previously required an experienced operator. That collapses the skill and time barrier between “found a foothold” and “completed a ransomware attack.”

For SOC teams, this raises the bar on response speed: if attack chains that used to take days can now complete in minutes with adaptive, self-correcting execution, detection needs to catch the intrusion early — at initial access or lateral movement — rather than relying on the slower cadence of human-operated intrusions. Prioritize patching any internet-facing AI agent or workflow tooling (Langflow and similar platforms), and review whether your alerting can catch rapid-fire, adaptive command sequences rather than just known-bad signatures.

Why it matters: The individual steps here aren't new — the automation is. If your detection rules assume a human operator's pacing and mistakes, this incident is a signal to test them against faster, self-correcting behavior, and to prioritize patching internet-facing AI tooling like Langflow before attackers' agents get there first.

Read source →