Sysdig JadePuffer: First Documented End-to-End Agentic Ransomware Campaign

7 min read
Sysdig JadePuffer: First Documented End-to-End Agentic Ransomware Campaign
TL;DR

The Sysdig Threat Research Team (TRT) has documented JadePuffer, a cyberattack campaign identifying the first credible instance of agentic ransomware in the wil…

The Sysdig Threat Research Team (TRT) has documented JadePuffer, a cyberattack campaign identifying the first credible instance of agentic ransomware in the wild. Exploiting a remote code execution vulnerability in the Langflow orchestration platform (CVE-2025-3248), the attacker deployed an autonomous Large Language Model (LLM) agent to execute the entire attack loop—encompassing system reconnaissance, credential harvesting, privilege escalation, lateral network movement, and database encryption—without human intervention.

Sysdig JadePuffer Agentic Ransomware Campaign Banner

The Shift to Agentic Threat Actors (ATA)

Security analysts have long warned about the potential use of AI in cyberattacks, but most historical examples were limited to AI-assisted phishing or malware creation. In these cases, the AI acted as a tool or helper, while a human attacker remained responsible for orchestrating the execution.

JadePuffer represents a transition to Agentic Threat Actors (ATA). In an ATA campaign, the AI agent is not a passive tool but the active operator. Once initial access is established, the agent runs an autonomous loop, analyzing terminal outputs, adapting to unexpected system errors, writing payloads, and deciding which servers to target next based on what it discovers.

While the agent performed all execution steps, the campaign still relied on human actors for initial infrastructure setup, target identification, and LLM API configuration. Understanding this human-agent split is critical to evaluating the modern threat landscape.

The Kill Chain: From Langflow Exploit to Database Extortion

The JadePuffer attack loop followed a structured execution path:

  1. Initial Access via CVE-2025-3248: The attack targeted internet-facing instances of Langflow, a popular open-source visual framework for building multi-agent AI pipelines.
  2. Local Host Reconnaissance: The agent checked the local OS environment, harvested environmental secrets, and located active database credentials.
  3. Lateral Network Pivoting: The agent leveraged harvested keys to establish SSH connections and scan internal network segments, discovering configuration services like Alibaba Nacos and active MySQL databases.
  4. Autonomous Self-Correction: When scripts failed due to syntax or environmental issues, the agent analyzed the error stack and rewrote the code on the fly.
  5. Database Encryption & Extortion: The agent connected to internal MySQL instances, dumped and encrypted database contents, deleted the original tables, and dropped a ransom note demanding payment.
JadePuffer Attack Loop and Kill Chain

Technical Deep Dive: The Langflow CVE-2025-3248 Exploit

The entry point for the campaign was CVE-2025-3248, a critical remote code execution (RCE) vulnerability in Langflow (affecting versions prior to 1.3.0).

The vulnerability exists within Langflow's code validation API endpoint (/api/v1/validate/code). To validate Python components built by users, the platform improperly leveraged Python's native exec() function without authentication or adequate sandboxing.

An unauthenticated attacker could send a crafted POST request to the validation endpoint containing arbitrary Python code. Because the application executed the input with the privileges of the underlying Langflow server process, this resulted in unauthenticated remote code execution.

# Conceptual example of the vulnerable validate code pattern in Langflow
def validate_code(code_string):
    # DANGEROUS: Executes unsandboxed user input directly
    exec(code_string)

By exploiting this flaw, the JadePuffer agent gained a shell on the host server, establishing the initial execution loop.

Explaining the Self-Correction & Self-Narrating Loop

The most notable behavior documented by Sysdig was the agent's capacity for real-time problem-solving.

During the lateral movement phase, the agent attempted to execute a Python script to scan the local subnet. The initial execution failed because the script referenced a library that was not installed on the host. In a traditional attack, a script failure would stall the operation until a human analyst logged in to debug the environment.

Instead, the JadePuffer agent read the traceback error from standard output, realized the dependency was missing, rewrote the script to use native Python libraries, and successfully executed the new payload within 31 seconds.

Additionally, the agent's payload code was "self-narrating." The generated scripts included natural-language comments explaining the agent's reasoning, such as:

# Checking local environment for config files
# Discovered database credentials in config.json
# Connecting to database to locate transaction records...

This reasoning trace indicates that the agent was continuously evaluating its environment and documenting its progress to guide its next logical step.

The Human-vs-Agent Responsibility Split

While the execution was autonomous, JadePuffer was not a fully independent AI. The attack required a division of labor between human operators and the autonomous agent:

JadePuffer Human vs Agent Responsibility Split

Human Threat Actor Tasks:

  • Purchased and configured the attack server.
  • Acquired API access to a commercial LLM and paid for token usage.
  • Programmed the initial system prompt instructing the agent to "identify target assets, encrypt databases, and deploy extortion templates."
  • Ran the initial exploit script against internet-facing Langflow servers.
Autonomous Agent Tasks:
  • Performed local host reconnaissance.
  • Harvested SSH keys and database passwords.
  • Executed subnet scans and discovered internal services.
  • Corrected code errors and dependencies in real-time.
  • Encrypted MySQL databases and generated custom ransom notes.
This split shows that while humans are still required to direct the threat, AI has automated the execution phase, reducing the time from initial access to database extortion from days to minutes.

Where This Fits Into Agentic Security

The JadePuffer campaign highlights the urgent need to secure AI infrastructure. Many organizations deploy orchestration platforms like Langflow, Flowise, or AutoGen in their development and production environments, granting them direct access to internal databases, cloud APIs, and sensitive credentials.

If these orchestration platforms are misconfigured or contain vulnerabilities, they provide attackers with immediate access to highly privileged environments. This risk has been highlighted in other agentic security analyses, such as the Wiz GhostApproval security advisory, which detailed how local coding agents could be manipulated into executing malicious files.

Furthermore, as agents gain local state memory and execution privileges, resolving state and configuration failures becomes a primary challenge for both defenders and developers, a topic covered in the AI agent memory state failure explainer.

Mitigation Strategies for Security Teams

To defend against agentic attacks like JadePuffer, organizations should implement the following controls:

Patch Langflow Immediately: Ensure all instances of Langflow are upgraded to version 1.3.0 or later to remediate CVE-2025-3248.

Isolate AI Orchestration Environments: Run AI development tools, orchestration frameworks, and agents in isolated, sandboxed environments. Do not grant them network access to production databases or internal configuration registries like Nacos.

Enforce Zero Trust Network Access (ZTNA): Never expose AI orchestration endpoints directly to the public internet. Ensure all access requires strict authentication and is routed through a secure gateway.

Monitor Local Host Execution: Implement Endpoint Detection and Response (EDR) agents to detect unusual execution patterns on servers hosting AI tools, such as Python processes spawning SSH scans or database dumps.

Sources: Sysdig Blog · TechCrunch · Dark Reading

Frequently Asked Questions

What is JadePuffer? JadePuffer is the first documented agentic ransomware campaign, identified by the Sysdig Threat Research Team in July 2026. It is driven by an autonomous LLM agent that executes reconnaissance, pivoting, and extortion tasks in an automated loop.
How did JadePuffer gain initial access? The campaign gained initial access by exploiting CVE-2025-3248, a critical remote code execution (RCE) vulnerability in the /api/v1/validate/code endpoint of the Langflow orchestration platform.
What makes JadePuffer different from traditional ransomware? Traditional ransomware requires manual control by a human attacker to run commands and debug payloads. JadePuffer runs autonomously using an LLM agent that can read traceback logs, self-correct code errors in real-time, and narrate its own decisions.
What systems were targeted inside the victim network? After exploiting Langflow, the agent scanned the internal network, harvested local SSH credentials, mapped services via Alibaba Nacos, and encrypted active MySQL databases for extortion.
How can organizations mitigate the risk of agentic attacks? Organizations must patch Langflow to version 1.3.0 or later, run all AI orchestration frameworks in strict network-isolated sandboxes, implement Zero Trust Access for AI endpoints, and monitor host environments for anomalous automated activity.
Disseminate Knowledge

Broadcast this intelligence

Copy Permanent Link

Want to work together?

Technical and delivery consulting for engineering leaders — diagnostics, agentic AI, and transformation with measurable outcomes.