Hard2bit
← Back to the cybersecurity blog

JADEPUFFER: the first ransomware run end to end by an AI, and what it means for your defence

By Adrián González · CEO · Published: 04 July 2026 · Updated: 04 July 2026
JADEPUFFER: agentic ransomware does not reinvent the attack, it automates your neglected exposure

Sysdig’s Threat Research Team has documented what it describes as one of the first clear cases of agentic ransomware: an extortion operation in which a language model appears to have driven the intrusion from end to end, without relying on a human operator at the keyboard for every step or on a rigid script simply executing a predefined sequence.

The operator has been named JADEPUFFER. According to Sysdig’s research, published on 1 July 2026, the agent chained the full intrusion lifecycle: initial access through a known vulnerability, environment enumeration, credential discovery, access to internal systems, persistence, compromise of the real target, encryption of production configuration, deletion of database tables and delivery of a ransom note.

The lesson is not that a revolutionary new technique has appeared.

The lesson is more uncomfortable: the skill threshold for running a complete attack falls when an agent can test, fail, correct and chain steps on its own.

For years, ransomware has had a human somewhere in the loop: someone typing commands, adapting the intrusion, or writing the malware that later runs automatically. What Sysdig documents changes part of that assumption. Not because the human disappears, but because more of the tactical execution can be delegated to a model.

This should not be read as science fiction. It should not be dismissed as marketing panic either. It is a technical warning with published indicators of compromise, and it should be read defensively.

The message for companies is simple: agents do not need zero-days to cause serious damage. They only need to find what was already exposed, unpatched or full of secrets.

Executive summary: what should worry a company

JADEPUFFER does not change the fundamentals of defence.

It accelerates them.

The operation observed by Sysdig did not depend on exotic techniques. It relied on familiar weaknesses: an exposed and vulnerable Langflow service, secrets available in the compromised environment, default credentials in object storage, an internet-reachable Nacos configuration service, an exposed MySQL database, persistence through a scheduled task, weak egress control and no early detection before the destructive phase.

What is new is the way those pieces were chained.

An agent can enumerate, test, make mistakes, correct itself and move forward at a speed that changes the economics of the attack. That makes the long tail of forgotten systems — admin panels, exposed internal services, AI servers, databases, configuration stores and default credentials — more dangerous than before.

For companies already using AI, agents, Langflow, MCP, cloud services or internal automation, this case connects directly with AI security⁠ and AI agents and MCP security audits⁠.

What Sysdig observed, at a conceptual level

The operation began with something very common: neglected infrastructure exposed to the internet.

The entry point was CVE-2025-3248, a critical vulnerability in Langflow, an open-source framework used to build applications and workflows with language models. The flaw allows unauthenticated remote code execution in versions prior to 1.3.0.

The vulnerability was fixed in Langflow 1.3.0 and added to CISA’s KEV catalogue in May 2025. Many servers, however, remained unpatched or publicly reachable.

From that point, the intrusion followed a familiar pattern.

The agent enumerated the system, searched the environment for secrets, found AI provider keys, API keys, cloud access material and database credentials. It also accessed a MinIO object store with unchanged default credentials and established persistence using a scheduled task.

Then it pivoted towards the real target: a server running a MySQL database and a Nacos configuration service exposed to the internet.

In that environment, the agent abused known Nacos weaknesses, created an administrator account, encrypted production configuration, deleted original tables and left a ransom note. Later, the operation went further and destroyed entire databases.

There is no defensive value in reproducing the attack step by step.

The useful question is different: which conditions allowed an agent to chain a complete intrusion without being stopped before data destruction?

The machine gives itself away

Sysdig argues that the operation was driven by a model, and its analysis points to several signals.

The first is striking: the attack code and payloads contained natural-language comments explaining why each step was being taken. A human intruder rarely documents one-line commands in that way during an operation. A model, by contrast, often generates explained, reasoned and commented output by default.

The second signal is the speed of correction. In one part of the operation, the agent moved from a failed attempt to a working correction within seconds, diagnosing the issue and adjusting the strategy instead of blindly retrying.

The third signal is the variety of payloads. Sysdig describes hundreds of distinct, purpose-driven payloads, more consistent with adaptive execution than with a rigid script.

The fourth signal is almost ironic: the ransom note contained a Bitcoin address that matches a widely documented example address in public Bitcoin material. The encryption key was also generated randomly, printed once and not saved or transmitted anywhere.

In other words, even paying would not realistically recover the data.

That matters.

In a traditional ransomware operation, the attacker wants to get paid. In an operation poorly delegated to an agent, the destructive phase may execute without the operator having properly designed the recovery process.

For the victim, the outcome is worse: there is no useful negotiation, only restoration.

Not a new technique, but a new economy

JADEPUFFER does not prove that classic defences no longer work.

It proves they have become more urgent.

The operation did not require an unknown vulnerability. It did not break cryptography. It did not rely on a sophisticated chain of zero-days. It relied on exposure, missed patching, poorly protected credentials, published internal services and weak runtime detection.

That changes three things for defenders.

The cost of attacking falls

If an agent can chain reconnaissance, exploitation, credential discovery, lateral movement, persistence and destruction, the operator needs less tactical skill to run a complete operation.

That does not turn every attacker into an advanced actor.

But it does lower the barrier.

Automation no longer just launches a known exploit. It can decide what to try next, correct errors and move towards the real target.

Old vulnerabilities get new life

CVE-2025-3248 was not a zero-day when it was used in this operation. It was already documented, patched and included in KEV.

That is the problem.

An agent can test known vulnerabilities, exposed panels, default keys and forgotten services at a scale that makes technical debt more dangerous. The long tail of ownerless systems becomes a continuous attack surface.

Here, “running a scanner” is not enough. Companies need vulnerability management⁠ based on exposure, real exploitability, asset criticality and response capability.

Intent becomes more visible

There is also a defensive opportunity: some models narrate what they are doing.

Comments, function names, explanatory strings and overly descriptive payloads can help reveal intent. They do not replace process, network or database telemetry, but they add useful signals.

The question is no longer only what command was executed.

It may also be what the agent was trying to achieve.

Why Langflow, Nacos and MySQL matter in real companies

This case is not only about Langflow.

Langflow matters because many companies are deploying AI orchestration tools, LLM workflows, internal APIs, agents and connectors without applying the same discipline they would apply to a critical application.

Nacos matters because configuration services often contain the keys to the kingdom: endpoints, credentials, secrets, internal routes, production parameters and deployment logic.

MySQL matters because many organisations still expose databases, directly or indirectly, due to operational convenience, legacy integrations or architectural mistakes.

The combination is dangerous: an exposed AI component, secrets available in the environment, weakly hardened configuration services, databases with excessive privileges, poor segmentation, no egress control and no alerts until destructive operations begin.

This is not only a problem for AI startups. It affects any company introducing agents, automation or AI tools without reviewing the attack surface⁠ it is creating.

A first passive review with Hard2bit Scanner⁠ or the public Hard2bit Scanner⁠ can help identify relevant external signals: forgotten subdomains, exposed technologies, public security posture, headers, certificates, storage exposure, compliance signals and readiness for the AI-agent era.

It does not replace an internal audit.

But it helps answer a basic question: what can an attacker see before touching your network?

What a SOC should detect before encryption

The reasonable response is not only to patch, although patching is essential.

The correct response is to assume that an attacker can turn a recent or old advisory into a working chain quickly, and to move part of the defensive weight towards behavioural detection.

A managed SOC⁠ with sufficient telemetry would have had several opportunities to detect this operation before the destructive phase.

Relevant signals include anomalous child processes launched by a web service, an AI orchestration tool or a component that should not normally execute shells, interpreters or network utilities.

They include targeted reads of sensitive files such as .env, credentials.json, AI provider keys, cloud credentials, API tokens or configuration files.

They include access to object stores using default credentials, or from sources that do not match the normal application pattern.

They include scheduled tasks that perform periodic outbound connections, especially when created by processes that do not normally behave as network agents.

They include outbound connections from an AI server or internal application to unusual external destinations.

They include access to configuration services, admin consoles or databases from systems that should not have that role.

They include destructive database operations: dropping tables, deleting entire databases or creating ransom structures.

They include sudden changes to production configuration without a corresponding deployment.

These detections do not depend on one signature. They depend on behaviour, context and relationships: which process launched what, towards which destination, under which user and at what time.

That is exactly where threat hunting⁠ matters: not waiting for a generic alert, but actively searching for patterns compatible with a real intrusion.

Indicators of compromise are useful, but not enough

Sysdig published indicators of compromise associated with JADEPUFFER, including command-and-control infrastructure, wallet information and ransom-note artefacts.

They are useful.

But they should not be the only basis for defence.

IoCs age quickly. An agent can change an IP address, a path, a filename or a visible string in seconds. The more stable layer is behaviour: anomalous execution from web services, secret discovery, persistence, outbound connections, misuse of credentials, access to configuration and destructive operations.

Defence should combine several levels.

Concrete indicators for rapid hunting.

Behavioural detection to find variants.

Asset context to prioritise what matters.

Prepared response to contain before destruction.

That approach fits an EDR, XDR and MDR⁠ operation integrated with SIEM, cloud logs, databases, containers and application telemetry.

Practical defence: what would have slowed JADEPUFFER down

The measures that would have reduced JADEPUFFER’s impact are well known.

The difficulty is applying them to the infrastructure many organisations do not look at closely: internal services, AI tools, configuration stores, administrative accounts and databases.

1. Do not expose code-execution endpoints

Langflow and similar tools must be treated as critical applications, not lab toys.

If a tool can execute code, call connectors or handle credentials, it should not be exposed without strong controls.

Review internet exposure, authentication, patching, segmentation, process permissions, environment variables, available connectors, accessible secrets, generated logs and allowed outbound connections.

An AI agents and MCP security audit⁠ should cover exactly this: what the agent can do, which tools it can invoke, which secrets it touches and which limits exist if it behaves unexpectedly or becomes an entry point for an attacker.

2. Move secrets out of the runtime environment

Many AI and automation servers store provider keys, cloud tokens, database credentials and internal secrets next to the process itself.

That turns remote code execution into immediate credential theft.

Secrets should live in a secret manager, with least privilege, rotation, traceability and limited scope. If a service only needs to read a queue or call one API, it should not hold cloud administrator credentials or root access to a database.

This connects directly with non-human identity security⁠: service accounts, tokens, API keys and machine credentials are prime targets for automated attacks.

3. Harden configuration services

Configuration services such as Nacos are critical assets.

They should not be exposed to the internet. They should not retain default signing keys. They should not connect to databases with excessive privileges.

A production configuration store can contain more value than a confidential document: internal routes, credentials, services, feature flags, endpoints, integrations and business logic.

Hardening them means strong authentication, unique keys, segmentation, administrative control, centralised logs, change review, minimal database access, configuration backups and alerts for mass modification.

4. Do not publish administrative databases

A production database should not be reachable from the internet except in rare, strongly justified and controlled cases.

And an administrative database account should not be the normal application credential.

Apply source restrictions, role-based accounts, least privilege, credential rotation, permission reviews, alerts for destructive operations, tested backups and separation between administration and execution.

5. Control egress

Many defences focus on preventing entry. JADEPUFFER shows why outbound control also matters.

A compromised server should not be able to beacon freely to arbitrary external destinations or reach any database or API it wants.

Egress control limits command and control, exfiltration, payload download, lateral movement, credential misuse and communication with attacker infrastructure.

The practical rule is simple: if a server does not need to talk to the internet, it should not be able to. If it does need to, access should be restricted by destination, port and business purpose.

6. Test restoration

In this case, the encryption key was not properly saved or transmitted. Negotiation was not a realistic option.

When encryption or deletion makes data unrecoverable, restoration is the only plan.

That is why defence does not end with prevention. It requires business continuity and disaster recovery⁠, protected backups, tested restoration and realistic recovery times.

An immutable backup⁠ is not a technical decoration. It can be the difference between rebuilding and negotiating with someone who may not even be able to return the key.

AI agent security: the unresolved problem

JADEPUFFER also leaves a lesson for companies deploying internal AI agents.

The question is not only whether the model responds well.

The question is what it can do.

An agent with access to internal tools, connectors, databases, repositories, configuration systems or cloud credentials looks less like a chatbot and more like a technical operator.

That means it needs production controls: its own identity, minimal permissions, action logging, tool limits, human approval for critical actions, separated environments, secrets outside the prompt and direct runtime, observability of calls, a kill switch, connector review, abuse testing and egress control.

We covered this approach in MCP security for enterprise AI agents⁠: a poorly governed connector is effectively a privileged API exposed to probabilistic logic.

If that architecture is also internet-facing or holds production secrets, the risk is no longer theoretical.

NIS2, DORA and ENS implications

For an organisation subject to NIS2⁠, an incident like JADEPUFFER is not only a technical issue.

Destruction of production configuration and data can affect service continuity, system integrity and notification obligations. It also forces the organisation to demonstrate vulnerability management, access control, incident response and technology-chain governance.

Under DORA⁠, this case maps directly to digital operational resilience: ICT assets, patch management, technology dependency, recovery testing, monitoring and response capability.

Under the ENS⁠, the reading is equally clear: inventory, configuration control, service protection, traceability, change management, backups and incident response.

The difference between compliance on paper and resilience in practice is evidence: which assets were exposed, what versions they ran, which credentials existed, which logs were preserved, which alerts triggered, when detection happened, what data was lost, which restoration was tested and which decisions were made.

For organisations working across several frameworks, it is worth reviewing how ENS, ISO 27001, NIS2 and DORA⁠ relate to one another. The controls repeat under different names: governance, inventory, vulnerability management, continuity, detection, response and continuous improvement.

What companies should review now

After JADEPUFFER, any organisation using AI tools, agents, internal automation, configuration services or exposed databases should be able to answer the following questions.

Do we have Langflow, Nacos, MinIO, databases, admin panels or AI tools exposed to the internet?

Do we know which versions they run and who owns their update cycle?

Do we have internal assets exposed publicly that are missing from the official inventory?

Are AI provider keys, cloud credentials or database credentials stored in environment variables or .env files?

Are default credentials still present in object stores, internal services or configuration tools?

Can our AI servers execute code or invoke internal tools without control?

Is outbound connectivity restricted from internal servers?

Do we alert on destructive database operations?

Do we have immutable backups and tested restoration?

Does the SOC see processes, connections, configuration changes and database activity, or only perimeter logs?

Have we tested what would happen if an AI agent or AI orchestration tool were compromised?

These questions can be addressed through a combination of cybersecurity audit⁠, attack surface management⁠, AI security⁠ and prepared incident response⁠.

As a first external and non-intrusive step, you can also analyse your domain with Hard2bit Scanner⁠ to obtain a passive view of public posture, exposure, technologies, headers, certificates, compliance signals, visible subdomains and readiness for the AI-agent era.

The warning, in proportion

JADEPUFFER is not the end of the world.

It is not an unstoppable threat either.

It is a signal of where extortion is moving: less dependence on expert operators for each step, more delegation to agents capable of testing, correcting and chaining known techniques.

The defensive fundamentals have not changed: real inventory, less exposure, exploitation-based patching, well-managed secrets, least privilege, segmentation, egress control, runtime detection, backups that actually restore and prepared response.

What has changed is the speed and cost with which an attacker can test the catalogue against your most forgotten systems.

It is safer to assume that every exposed server, configuration store, AI tool, administrative account or reachable database will be probed by a machine, not only by a person.

And a machine does not get tired.

Do you know what an agent could see and exploit in your organisation?

Hard2bit helps companies reduce exposure, secure AI systems, monitor real behaviour and respond before an intrusion becomes data destruction.

We can support you with:

If you want to review your public exposure, you can start with a passive scan through Hard2bit Scanner⁠. If you need a deeper assessment of agents, exposed services, secrets, cloud, databases and detection, contact the Hard2bit team through our contact page⁠.

Recommended sources

  • Sysdig Threat Research Team: JADEPUFFER, Agentic ransomware for automated database extortion
    https://www.sysdig.com/blog/jadepuffer-agentic-ransomware
  • CISA: CVE-2025-3248 added to the Known Exploited Vulnerabilities catalog
    https://www.cisa.gov/news-events/alerts/2025/05/05/cisa-adds-one-known-exploited-vulnerability-catalog
  • NVD: CVE-2025-3248
    https://nvd.nist.gov/vuln/detail/CVE-2025-3248
  • INCIBE-CERT: CVE-2025-3248
    https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2025-3248
  • NVD: CVE-2021-29441, Nacos authentication bypass
    https://nvd.nist.gov/vuln/detail/CVE-2021-29441
  • GitHub Advisory Database: CVE-2021-29441
    https://github.com/advisories/GHSA-36hp-jr8h-556f

Frequently asked questions

What is agentic ransomware and how does it differ from traditional ransomware?

It is an extortion operation in which an LLM-based AI agent runs the whole attack — entry, credential theft, lateral movement, encryption and destruction — instead of a human at the keyboard or a fixed script. The practical difference is not the techniques, which are well known, but the cost: the skill required drops to whatever it takes to rent an agent, which greatly widens the pool of possible attackers.

How did JADEPUFFER get into the victim's network?

According to Sysdig, the entry point was CVE-2025-3248, a missing-authentication flaw in Langflow that lets anyone run code on the server without logging in. It had been patched since May 2025 and listed in CISA's KEV catalogue, but the affected server was never updated. From there the agent pivoted to an internet-facing MySQL database server and a Nacos configuration service.

Can the data encrypted by this attack be recovered?

Not by paying. Sysdig observed that the encryption key was generated at random, printed once, and never stored or transmitted. There is no key the attacker can hand over. Worse, the final phase was destructive: whole tables and databases were dropped. The only realistic recovery path is immutable backups and a tested restoration.

How did researchers know an AI model was driving the attack?

From four lines of evidence. The clearest is that the payloads were full of natural-language comments justifying each step, something a model produces by default and a human does not write into one-liners. Add to that error correction at machine speed — from a failure to a multi-step fix in 31 seconds — comprehension of free text planted in the environment, and an anomaly in the ransom note's Bitcoin address.

Which detection signals make sense to watch at runtime?

Anomalous child processes hanging off web or AI-orchestration services (interpreters, shells, network utilities), access to object stores and internal databases with default credentials, scheduled tasks making outbound network calls at fixed intervals, and destructive operations against database schemas. The indicators of compromise Sysdig published are a complement, not a sole defence.

Which specific controls would have reduced the impact?

Not exposing code-execution endpoints to the internet and patching AI-orchestration tools; moving secrets out of the environment of web-reachable processes into a minimally scoped manager; hardening configuration services by changing default keys and avoiding root database connections; never publishing a database's administrative account; applying egress controls; and keeping immutable backups with tested restoration.

What are the compliance implications for NIS2 and DORA?

Destroying production data and configurations triggers incident reporting and continuity obligations. DORA also pushes towards operational resilience testing and control of third parties and ICT assets, and this attack's pattern — entering through a neglected component and reaching production — is precisely the scenario those tests should anticipate. Traceability over internal services is no longer optional.

Is JADEPUFFER a mass threat or an isolated case?

Today it is a documented case, not a high-volume campaign. But Sysdig frames it as a trend signal: as agentic tooling matures, expect more operations of this kind, especially against exposed and unmaintained infrastructure. The sensible response is not panic but reinforcing the defensive fundamentals and assuming that probing your systems will increasingly be done by a machine, not just a person.