chaosbyte
← All posts
criticalJul 07, 2026·8 min read

Jade Puffer: the first documented AI agentic ransomware

Sysdig's TRT captured what they call the first agentic ransomware — an LLM that chained reconnaissance, credential theft, lateral movement, persistence, and ransom without human intervention. It diagnosed and fixed its own failures in 31 seconds.

Sysdig's Threat Research Team just published what it estimates is the first documented case of agentic ransomware — a complete extortion operation orchestrated end-to-end by an LLM. They named the threat actor "Jade Puffer."

It's not novel exploits. It's novel orchestration.

The attack chain

Jade Puffer gained initial access through CVE-2025-3248, a missing-authentication vulnerability in Langflow's code-validation endpoint that lets an unauthenticated attacker execute arbitrary Python on the host. From there:

  • Reconnaissance: the LLM enumerated the host, network interfaces, and running processes, then swept the environment in parallel for LLM provider keys (OpenAI, Anthropic, Gemini), cloud credentials (including Chinese providers), crypto wallets, and database credentials.
  • Credential looting: dumped Langflow's own Postgres database, harvested stored keys, reviewed them, then cleaned up the staging artifacts.
  • Lateral movement: scanned the internal address space, probed databases, object stores, and service-discovery endpoints using default credentials.
  • MinIO exploitation: found a MinIO object store, enumerated all buckets, and downloaded credentials.json — escalating from anonymous health check → admin API info → authenticated bucket listing → targeted file fetch, all in one session.
  • The real target — a Nacos configuration server backing a production MySQL database. The agent attacked Nacos through multiple vectors simultaneously: known auth-bypass (CVE-2021-29441), forged JWT using Nacos's documented default signing key, and a backdoor admin user injected directly into the Nacos backing database.

The 31-second fix

That's the part that should keep anyone who builds with AI agents up at night.

The agent tried to create a backdoor admin account with a bcrypt hash generated via subprocess.run(...). The login failed. Twelve seconds later it diagnosed two possible failure modes in parallel. Nineteen seconds after that, a corrective payload replaced subprocess.run with import bcrypt, validated the library was importable, deleted the broken account, and reinserted one with a working hash. Login succeeded.

31 seconds from failure to fix: delete, diagnose, rebuild, verify. A human operator reading an error, understanding it, drafting a patch, and submitting it takes much longer.

The same pattern recurred throughout the entire session — the MinIO ?format=json request returned XML so the next payload swapped to an XML S3 parser; the JWT forgery returned "custom secret in use" so the agent abandoned that path entirely.

The ransom

Jade Puffer encrypted all 1,342 Nacos service configuration items using MySQL's AES_ENCRYPT(), dropped the original config and history tables, and created an extortion table README_RANSOM with a Bitcoin address, a Proton Mail contact, and demand text.

The AES key was generated as base64(uuid4().bytes + uuid4().bytes) — random, printed once to stdout, never stored or transmitted. The victim cannot recover the data even with payment.

A follow-up payload two minutes later dropped entire database schemas with commentary narrating its own targeting rationale.

What the Sysdig TRT flagged

Four independent lines of evidence point to LLM automation:

  1. Self-narrating code — the payloads contain natural-language reasoning about why each action is taken, explaining ROI prioritization of targets and identifying the "largest" database. Human operators don't annotate disposable one-liners this way; LLM code-generation does.
  2. Failure diagnosis at machine speed — as shown above, the agent read errors, diagnosed root causes, and produced corrective code in seconds.
  3. Comprehension of free-text context — the agent interpreted natural-language context from the target environment and took action that requires understanding, not pattern-matching.
  4. The Bitcoin address — the ransom note contains 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, the canonical Pay-to-Script-Hash example from Bitcoin developer documentation that saturates LLM training corpora. It's also a live wallet with 737 confirmed transactions. Either the LLM hallucinated it from training data and the wallet belongs to a third party who sweeps unsolicited deposits, or the operator configured a real wallet that happens to match the documentation example.

What this means

  • Ransomware is no longer a craft for the highly skilled: An LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step. The barrier to entry for running ransomware has dropped to "whatever it costs to run an agent."
  • Old vulnerabilities are being automated: JADE Puffer exploited years-old issues — a 2021 Nacos auth-bypass and an unchanged default signing key — against neglected infrastructure. Agents make spraying the entire historical vulnerability catalogue effectively free.
  • Intent is legible — use it for your defense: An LLM narrates its own objectives in its payloads. That self-narration is a detection and triage opportunity defenders didn't previously have.
  • The exfiltration claim is the agent's own assertion: Before issuing DROP DATABASE, the agent's code commented "data already backed up to [server]" — self-narrated intent, not independently verified exfiltration. The victim may not have had any data stolen.

The hard takeaway

Michael Clark, Sysdig's director of threat research, called it "a marker of where extortion tradecraft is heading." The individual techniques were all known. None were novel. What was new was that an AI model strung them together into a complete ransomware operation — reading the error, fixing its own code, and carrying on.

If your organization runs AI-orchestration servers with provider API keys or cloud credentials in their environment, the lesson is clear: scope secrets away from web-reachable processes. If your infrastructure exposes database admin accounts or configuration stores to the internet, they're the first surfaces that will now be attacked.