- Evidence Status: JADEPUFFER is the first documented agentic ransomware operation, but the case is not publicly confirmed by the victim, law enforcement, or another security firm.
- Human Boundary: Later reporting says a human still chose the victim, provisioned infrastructure, and supplied or obtained the MySQL root credentials through a prior compromise.
- Attack Path: The reported chain began with exposed Langflow, moved through secret harvesting and internal discovery, reached production MySQL and Nacos, then encrypted 1,342 configuration items and dropped tables.
- Autonomy Signal: The clearest evidence of agentic behavior was not the encryption itself, but rapid adaptation: including a failed Nacos login corrected 31 seconds later.
- Defender Test: Security teams need to reduce exposed AI infrastructure, vault and rotate secrets, restrict database privileges, harden Nacos, and monitor live behavior before an agent can turn access into destruction.
JADEPUFFER is a warning about exposed AI infrastructure, stale vulnerabilities, and overprivileged credentials. It is the first substantial case where AI is used to automatize ransomware operations.
Sysdig reports that it had observed what it assesses to be the first documented case of agentic ransomware: a destructive database-extortion operation in which an AI agent handled much of the tactical intrusion chain. The case, tracked as JADEPUFFER, reportedly began with an exposed Langflow instance and ended with encrypted Nacos configuration records, dropped database tables, and a ransom note.
Sysdig’s evidence points to an AI-driven execution chain, but as CyberScoop later reported a human still set up and pointed the operation, chose the victim, and provisioned command-and-control and staging infrastructure. The production MySQL root credentials were obtained outside the agent’s observed harvesting and handed to the operation.
That distinction matters. JADEPUFFER is not yet evidence of fully independent cybercrime with no human role. It is evidence that, once a human gives an agent a target, infrastructure, and high-value credentials, the agent may be able to chain old weaknesses at machine speed.
What Sysdig Reported, and What Remains Unconfirmed
Sysdig says JADEPUFFER operated across two targets: an internet-facing Langflow server used for initial access, and a separate production server running MySQL and Alibaba Nacos. The first host was the doorway; the second was the real objective.
At publication, there was no independent confirmation from the victim, law enforcement, or another security firm. Sysdig also did not name the victim, identify the model driving the agent, or prove that the agent’s claimed backup or exfiltration step actually happened.
The Reported Attack Path: Exposed Langflow to Production MySQL and Nacos
The reported entry point was CVE-2025-3248, a critical Langflow vulnerability affecting versions before 1.3.0. NVD describes the flaw as code injection in the /api/v1/validate/code endpoint, allowing a remote unauthenticated attacker to execute arbitrary code. Langflow 1.3.0 addressed the issue already in 2025 – the JADEPUFFER case shows how patched vulnerabilities remain dangerous when vulnerable services stay exposed.
Sysdig says all captured payloads were Base64-encoded Python delivered through the Langflow remote-code-execution endpoint. After gaining execution, the agent enumerated the host, searched for API keys, cloud credentials, cryptocurrency wallets, database credentials, and configuration files, then dumped Langflow’s backing Postgres database for stored credentials and user data.
The agent also probed internal services reachable from the Langflow host. Sysdig reported MinIO enumeration using default credentials, including buckets that appeared to contain backups, machine-learning artifacts, and infrastructure state. The attack was able due to old exposure, default credentials, reachable internal services, and secrets stored where an intruder could collect them.
The final target was a separate production server exposing MySQL and Nacos, a service-discovery and configuration-management platform. One relevant older flaw, CVE-2021-29441, affects Nacos before version 1.4.1 and can allow authentication bypass through a spoofable user-agent header. Sysdig says JADEPUFFER tested several Nacos access paths, including the older authentication-bypass pattern, JWT forgery using a default signing key, and direct administrator insertion into the Nacos database through MySQL root access.
The MySQL root credential is one of the case’s most important caveats in the case. Sysdig observed the agent using root access, but did not find the agent harvesting those credentials from the victim environment. Later reporting by various sources says the credential came from a prior compromise and was supplied to the operation.
The Strongest Autonomy Signal Was a Fast Failure-to-Fix Loop
The most important evidence of agentic behavior was not that JADEPUFFER encrypted data. Ransomware has automated encryption for many years already. But the agent appeared to observe failures, revise its method, and continue autonomously.
The clearest example came during the Nacos takeover attempt. Sysdig reported that JADEPUFFER created a backdoor administrator account, attempted to log in, failed, diagnosed likely causes, and deployed a corrected payload 31 seconds after the failed login. The revised payload changed the way the bcrypt hash was generated, removed the broken account row, reinserted a working administrator account, and then verified access.
Sysdig also described other adaptive moments: changing MinIO parsing after an expected JSON response arrived as XML, abandoning a JWT path after evidence that a custom secret was in use, and correcting a failed database drop by temporarily disabling foreign-key checks. The broader evidence included more than 600 distinct, purposeful payloads executed in a compressed window.
That evidence supports Sysdig’s assessment that an agent, rather than a rigid script or human typing each command, drove much of the operation. But so far it does not prove the agent autonomously chose the victim, selected the infrastructure, obtained every credential, or operated without human preparation.
What Was Damaged, and Why the Ransomware Label Is Messy
Once JADEPUFFER reached the production database environment, reconnaissance turned into destruction. The agent reportedly encrypted 1,342 Nacos configuration items using MySQL’s AES_ENCRYPT() function, dropped the original configuration and history tables, and created a ransom-note table containing a Bitcoin address and Proton Mail contact.
The recovery attempt is where the ransomware label becomes complicated. Sysdig says the encryption key was generated and displayed once, but was not saved or transmitted. That means paying the ransom would not have recovered the data, at least based on the evidence Sysdig saw.
Exfiltration is also unverified. The payload referred to data as already backed up to a staging server, but Sysdig’s payload caveat is a key detail in the case: “The exfiltration claim is the agent’s own assertion.” In other words, the agent claimed a backup existed, but the public evidence does not prove one happened.
That makes JADEPUFFER better described as ransomware-like destructive database extortion than as a clean conventional ransomware case. The victim was pressured with a ransom note, but the technical path to recovery appears to have been broken.
Timeline of Reported Events
| Date or sequence | Reported event |
|---|---|
| April 2021 | NVD published CVE-2021-29441, the Nacos authentication-bypass flaw affecting versions before 1.4.1. |
| March 31, 2025 | Langflow 1.3.0 was released with the relevant authentication fix for code validation. |
| April 7, 2025 | NVD published CVE-2025-3248, describing unauthenticated code execution in Langflow versions before 1.3.0. |
| Late June 2026 | The JADEPUFFER incident reportedly occurred. Later reporting says a human selected the victim, provisioned infrastructure, and supplied or obtained the MySQL root credentials. |
| Initial access | The agent exploited an internet-facing Langflow instance and delivered Base64-encoded Python payloads through the vulnerable endpoint. |
| Post-exploitation | The agent enumerated the host, dumped Langflow’s Postgres database, searched for secrets, probed internal services, and established persistence. |
| Pivot | The operation moved toward a separate production server running MySQL and Nacos, using MySQL root credentials whose origin remains outside the agent’s observed harvesting. |
| Nacos takeover | The agent tested multiple access paths, failed one administrator-login attempt, corrected the account-creation method 31 seconds later, and verified access. |
| Database extortion | The agent encrypted 1,342 Nacos configuration items, dropped configuration and history tables, and created a ransom-note table. |
| After encryption | The encryption key was not saved or sent anywhere in the evidence Sysdig observed, making recovery through payment unlikely or impossible. |
| July 1, 2026 | Sysdig published its JADEPUFFER report and assessed the operation as the first documented case of agentic ransomware. |
| July 6, 2026 | CyberScoop and TechCrunch published clarifications about human setup, victim selection, infrastructure provisioning, credential origin, and the unknown model behind the agent. |
Important Learnings
Defenders and admins are urged to remove conditions that might let an autonomous agent convert exposed services and stored credentials into destructive database access.
Ram Varadarajan, CEO at Acalvio, argued for runtime behavioral detection: watching what processes and sessions do while they run, instead of relying only on static file signatures. That matters because the critical moment in JADEPUFFER was behavioral: a failed login, a revised method, a new administrator path, and database changes in rapid sequence.
Credential governance is the other central failure point. Keeper Security’s Shane Barney tied the case to secrets, defaults, and excessive privilege, calling it a “failure of credential governance”. Keeper also put the real-time detection gap at 72 percent of organizations unable to detect credential misuse as it happens.
Heath Renfrow, co-founder and CISO at Fenix24, framed the response problem as a compressed decision window, warning in Infosecurity Magazine that defenders lose valuable time when AI agents compress operator work from hours into minutes.
Practical controls to prioritize
- Patch and isolate Langflow: Upgrade vulnerable Langflow deployments, remove public exposure where possible, and place authentication and network controls in front of AI workflow tools.
- Reduce secret blast radius: Move provider keys, cloud credentials, database passwords, and wallet material out of application environments and flow databases. Vault them, rotate them, and monitor access.
- Harden Nacos: Remove default credentials, replace default signing keys, upgrade vulnerable versions, and alert on new administrator creation, direct database edits to Nacos user tables, and suspicious user-agent bypass patterns.
- Restrict MySQL privilege: Do not expose production MySQL directly to the internet. Avoid root connections from application workflows, split privileges by function, and alert on
AES_ENCRYPT()use against configuration records, mass table drops, and foreign-key-check changes. - Watch adaptation behavior: Alert on rapid failed-then-successful login sequences, repeated payload revisions, sudden parsing changes, privilege escalation probes, cron beacon creation, and destructive database operations following reconnaissance.
- Contain autonomous tools: Put approval gates between agents and privileged actions. Broader agent-safety incidents, including browser-agent hijack testing summarized by WinBuzzer, point to the same need: autonomous steps should not have direct paths to credentials, admin consoles, or production data changes.
The JADEPUFFER case is important because it shows how an AI agent can compress a familiar intrusion chain: exposed application, secret harvesting, internal discovery, credentialed database access, adaptive troubleshooting, and destructive extortion. The individual techniques were not new. The speed, coherence, and failure-to-fix behavior are what made the case notable.
JADEPUFFER shows that human-prepared ransomware operations may increasingly delegate tactical execution to agents. For admins, the urgent work resulting from this is not just theoretical. They need to remove exposed AI infrastructure, control secrets, limit database privileges, harden configuration systems, and detect behavior changes while there is still time to stop even more advanced malware campaigns.


