Security firm Sysdig said an AI agent carried out what it believes was the first ransomware attack run from start to finish by a model, after exploiting a patched Langflow flaw to break in, steal credentials and encrypt a company production database.
KEY FACTS
- Incident The operator, called JADEPUFFER, used CVE-2025-3248 to get code execution on an exposed Langflow server.
- Impact The agent encrypted 1,342 Nacos settings, deleted original tables and left a ransom note demanding Bitcoin.
- Access It searched for cloud keys, API secrets, crypto wallet data and database logins, then pivoted into a separate MySQL and Nacos server.
- Defense gap The Langflow flaw was fixed in 1.3.0 and added to CISA’s Known Exploited Vulnerabilities list in May 2025, but some servers remained unpatched.
The attack began with an exposed Langflow instance that allowed unauthenticated Python code execution. Langflow systems can hold API keys and cloud credentials, which made the server a useful target for whoever controlled the agent.
After gaining access, the system mapped the machine, searched for secrets and reused a default MinIO login that had not been changed. It then set up a scheduled task to contact an attacker-controlled server every 30 minutes.
The report says the agent later reached a separate internet-facing MySQL database and Alibaba Nacos deployment, logged in as root and took over Nacos using a 2021 authentication bypass and a default signing key. It then planted its own admin account and erased the original data.
The ransom note asked for Bitcoin and used a Proton Mail address. Sysdig said the code generated an encryption key, showed it once on screen and never saved it, which meant the victim could not recover the data from the attacker even if payment was made.
Sysdig said the payloads contained plain-English comments and self-corrections that pointed to model-driven execution rather than human typing. It counted more than 600 separate payloads and said the agent fixed one failed login in 31 seconds.
WHY IT MATTERS
The case suggests automated attack tools can combine old vulnerabilities, exposed credentials and weak defaults into a full intrusion with little direct human help. For defenders, the practical risks remain the same, including patching internet-facing software, protecting secrets and blocking outbound connections from compromised servers.

