
Cybersecurity Researchers Identify First Completely Self-governing AI-Driven Ransomware Attack
- By John K. Waters
- 07/14/26
Danger scientists at cloud security firm Sysdig have divulged what they refer to as the very first documented ransomware operation performed end-to-end by an autonomous AI agent, with no human typing commands or directing private actions once the attack was underway. The firm called the danger actor JADEPUFFER and released its technical analysis between July 4 and July 6.
According to Sysdig, JADEPUFFER got preliminary gain access to through an internet-facing instance of Langflow, an open source structure that developers utilize to build AI applications and agent workflows. The entry point was CVE-2025-3248, a missing-authentication defect that enables an unauthenticated aggressor to run approximate Python code on the host. The supplier covered the defect in Langflow 1.3.0, and the Cybersecurity and Facilities Security Company (CISA) included it to its Understood Exploited Vulnerabilities list in Might 2025, suggesting the vulnerability itself was neither new nor secret at the time of the attack.
As soon as inside, the representative identified the host and swept the environment for tricks throughout numerous classifications at the same time, consisting of application programs interface keys for OpenAI, Anthropic, DeepSeek, and Google; cloud credentials spanning Amazon Web Provider, Google Cloud, Microsoft Azure, and a number of Chinese companies; cryptocurrency wallet seed phrases; and database qualifications. It discarded Langflow’s backing Postgres database, discovered a MinIO object storage service still keeping up its factory-default credentials, and set up a crontab entry that beaconed to the attacker’s facilities every 30 minutes to keep perseverance. From there, it utilized harvested credentials to reach a different, internet-exposed production server running MySQL and Alibaba’s Nacos setup platform, making use of a 2021 authentication bypass and creating a token with a default signing key openly known considering that 2020.
The most noteworthy evidence of autonomous operation, according to Sysdig, came when an early effort to place a backdoor administrator account into Nacos failed a login check. Thirty-one seconds later, with no human intervention, the representative identified the cause as a subprocess course problem that avoided the password hash from being created correctly, changed its technique, and finished the task. The representative went on to secure 1,342 Nacos setup records and leave a ransom note. Sysdig stated it could not determine which underlying AI design powered the agent, which the payloads included natural language reasoning and self-narration common of big language model output instead of a fixed, pre-scripted toolkit.