Sysdig Says AI Agent Carried Out End-to-End Ransomware Attack Through Langflow Flaw

Security researchers at Sysdig say they have identified what appears to be the first ransomware operation executed from start to finish by an AI agent. The activity, which the company tracks under the...

Security researchers at Sysdig say they have identified what appears to be the first ransomware operation executed from start to finish by an AI agent. The activity, which the company tracks under the name JADEPUFFER, began with exploitation of a known vulnerability in Langflow, an open-source platform used to build AI applications and agent workflows.

The initial access point was CVE-2025-3248, an unauthenticated remote code execution issue that allows attackers to run Python code on a reachable Langflow server without logging in. Although the flaw was patched in Langflow 1.3.0 and added to CISA’s Known Exploited Vulnerabilities list in 2025, Sysdig said unpatched systems remained exposed on the internet.

After gaining access, the agent reportedly moved quickly through the victim environment. According to Sysdig, it searched for secrets such as API keys for AI platforms, cloud credentials, and database logins. The attackers also accessed a MinIO storage server that was still using its default credentials. Sysdig said the agent then established persistence by creating a scheduled task that contacted an external server at regular intervals.

Targeting databases and configuration data

The campaign ultimately focused on a separate system running MySQL and Alibaba Nacos, a service configuration and discovery platform common in microservice environments. Sysdig said the agent logged into the MySQL database as root, then used older Nacos weaknesses and a default signing key to take control of the platform. From there, it created its own administrative account and encrypted 1,342 Nacos configuration entries.

The ransom note demanded Bitcoin and included a Proton Mail address for contact. Sysdig said the encryption key used in the attack was generated on the fly, shown only once, and never stored or transmitted, leaving no practical way for the victim to recover the data even if payment were made.

Why researchers believe AI was involved

  • The attack payloads contained extensive plain-language explanations for each step.
  • The operator corrected errors in seconds, suggesting machine-speed decision making.
  • Sysdig counted more than 600 distinct payloads during the intrusion.

Researchers say the incident highlights how AI tools could lower the barrier to complex attacks by chaining together well-known techniques against neglected systems. Their advice remains familiar: patch exposed software, avoid placing secrets in internet-reachable environments, and restrict access to databases and management services.