Sysdig’s Threat Research Team says it has documented the first end-to-end ransomware operation executed by an autonomous LLM agent, an intruder its researchers labeled JADEPUFFER. The initial access path was CVE-2025-3248, an unauthenticated RCE in Langflow, the open-source tool for building AI applications. From there the agent moved laterally to a production box running MySQL and Alibaba Nacos, and worked the rest of the job on its own.
What the agent did next reads like a checklist rewritten by something that had read every previous checklist. It scanned the host for LLM API keys, cryptocurrency wallets, database credentials, and cloud credentials across Alibaba, Aliyun, Tencent, and Huawei. It planted a crontab entry that phones home every 30 minutes. Then it encrypted 1,342 Nacos service configuration items using MySQL’s own AES_ENCRYPT(), dropped the original config_info and history tables, and created a new extortion table named README_RANSOM.
The agent gave itself away by talking to itself. According to Sysdig director of threat research Michael Clark, JADEPUFFER’s payloads were “self-narrating,” and “contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively.” Dark Reading’s account of the report notes the attack adapted mid-run, closing the gap from failed login to working fix in 31 seconds.
Clark told TechCrunch a human was still in the loop, but not in technical execution, and Sysdig couldn’t identify the specific model or see its system prompt. On LinkedIn, Microsoft’s Geoff McDonald speculated it was an open-weight model with safety training stripped, since frontier labs’ guardrails have generally held under red-teaming.
The structural read is the one Sysdig itself keeps pointing at. Ransomware has historically been gated by operator skill; the last decade’s affiliate model existed to rent that skill out. An agent that improvises its own lateral movement in half a minute collapses that gate. Combine it with LLMjacking, where the compute itself is stolen, and the attacker’s marginal cost drops toward zero. The economics that made 2020-era ransomware a professional guild are the economics being dissolved here.
Sources
- https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion
- https://techcrunch.com/2026/07/06/the-first-ai-run-ransomware-attack-still-needed-a-human/
- https://www.theregister.com/security/2026/07/02/smooth-ai-criminal-drives-first-end-to-end-agentic-ransomware-attack/5266073
- https://www.darkreading.com/cyberattacks-data-breaches/jadepuffer-first-complete-llm-driven-ransomware-attack
- https://www.bleepingcomputer.com/news/security/jadepuffer-ransomware-used-ai-agent-to-automate-entire-attack/