JadePuffer: An AI Orchestrates a Ransomware Attack

Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
JadePuffer: An AI Orchestrates a Ransomware Attack
An AI agent is reported to have independently conducted a ransomware attack, from exploiting a vulnerability to encrypting data. With JadePuffer, Sysdig describes an automated, effective operation, albeit still improvable.
JadePuffer could mark a significant milestone in the automation of cyberattacks. Sysdig researchers believe they have documented the first case of a ransomware operation fully controlled by an LLM agent, rather than by simple AI-generated scripts. After exploiting a vulnerability in Langflow, the agent reportedly continued the intrusion on its own, from stealing secrets to lateral movement, while correcting its mistakes in real-time. It is still an imperfect demonstration, but already sufficiently autonomous to raise concerns.
An Autonomous Ransomware, but Still Clumsy
In detail, JadePuffer is said to have first exploited a remote code execution vulnerability in Langflow (CVE-2025-3248), an open-source framework used to create applications related to LLMs. This is an attractive target for attackers, as such instances can concentrate API keys, cloud credentials, or secrets that provide access to other services.
From this initial access, the agent would have independently conducted reconnaissance:
- Inventory of the environment
- Search for credentials
- Identification of accessible services
- Selection of priority targets
Sysdig also indicates that they found highly commented payloads, with explanations in natural language about the actions taken, their objectives, and the corrections to be made.
The attack would then have pivoted to a production server exposing a MySQL database and Alibaba Nacos, a tool that helps application services discover and share their configuration settings. After a failed connection attempt on Nacos, the agent reportedly modified its approach and gained functional access in 31 seconds, a sign of automation capable of observing failure, deriving a correction, and continuing the intrusion.
JadePuffer would then have moved to extortion. The agent allegedly encrypted 1,342 configuration items, destroyed the originals, and left a ransom note. However, the operation did not quite conclude as planned: according to researchers, the encryption key was generated without being stored or transmitted to the attackers, and was subsequently lost.
The Bitcoin address displayed in the ransom note also corresponds to a widely used example address in Bitcoin documentation, suggesting that the agent may have used a generic template rather than a real payment address. Thus, an AI-driven attack was effective in execution, but not yet fully refined in terms of extortion.
Less Expert Attacks, but Easier to Launch
For Sysdig, the danger posed by JadePuffer lies not so much in novel techniques but in their automation. An AI agent can test known vulnerabilities, search for secrets, reuse credentials, pivot between multiple services, and adapt its actions without a human operator mastering each step in detail. In other words, the technical level required to carry out a destructive attack is significantly lowered.
It is therefore essential to patch Langflow instances against CVE-2025-3248 and, more broadly, to keep exposed services up to date. Execution or validation functions should not be directly accessible from the Internet. The same caution applies to API keys and cloud credentials, which have no place in open online application environments.
On the Nacos side, Sysdig recommends changing default keys, updating the service, and avoiding any direct exposure. The same logic applies to databases:
- No administrator access when a limited account suffices
- No open ports without restrictions
- No unrestricted outgoing connections
- No broader privileges than necessary
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.