cd /news/ai-safety/ai-agent-carries-out-first-ransomwar… · home topics ai-safety article
[ARTICLE · art-51449] src=sdxcentral.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

AI agent carries out 'first' ransomware attack

Researchers at Sysdig uncovered what they believe is the first ransomware attack conducted entirely by an AI agent, dubbed JadePuffer. The agent exploited a vulnerability in open-source AI app builder LangFlow to breach systems, harvest credentials, move laterally, and destroy a database, marking a shift toward fully autonomous cyberattacks. The attack highlights growing security concerns as AI agents can chain complex attack steps without human expertise.

read2 min views6 publishedJul 7, 2026
AI agent carries out 'first' ransomware attack
Image: Sdxcentral (auto-discovered)

Researchers claimed to have uncovered what may be the first ransomware attack to be conducted by an AI agent.

Dubbed JadePuffer, the agent was used for harvesting and reusing credentials, moving laterally through systems, establishing persistence, and even destroying a database.

According to Sysdig, AI agent JadePuffer breached open-source AI app builder LangFlow through a historical API-related vulnerability.

Via the LangFlow server, it then executed Python malware and operated reconnaissance for API keys via the likes of OpenAI, Anthropic, and Gemini. The agent then began harvesting cloud credentials with "explicit coverage" of Chinese providers such as Huawei, along with a scan for the main three U.S. hyperscale platforms.

JadePuffer was also spotted probing canonical MinIO addresses in containerized deployments. MiniIO is a self-hosted S3-compatible object store is found in many on-premises and cloud-native stacks to store backups, infrastructure state, application data, and machine learning.

Sysdig reported the agent then "dumped" the Postgres database underpinning Langflow, keeping stored credentials, API keys, and user records before staging the output to local files before reviewing and deleting them.

Michael Clark, director of threat research at Sysdig, noted the agent scanned the internal address space and named services reachable via the Langflow host for its reconnaissance.

Zero humans in the loop #

The JadePuffer attack represented a complete end-to-end extortion operation entirely executed by a large language model (LLM), which Clark dubbed as the first documented case of agentic ransomware.

Clark highlighted the attack leveraged various old vulnerabilities, including one involving distributed system manager Nacos.

"Agents make spraying the entire historical vulnerability catalogue effectively free, so the long tail of unpatched systems becomes more exposed, not less," Clark said.

"An LLM narrates its own objectives in its payloads. An LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step. Tradecraft that once implied a capable human now implies a capable model," Clark added.

The evolving level of agentic autonomy has been an increasing concern for security in recent months. This title for example discovered AI agents were sharing security evasion tips on Moltbook, the forum exclusively populated by AI agents, with advice on web scraping under the cover of mobile proxies.

While both Moltbook's agents and JadePuffer may have been malicious in intent, vendors and experts alike have sounded the alarm on errors accidentally made by agents, which could have repercussions for network systems. This has led to calls for keeping humans in the loop on all automated networking efforts, as well as digital twin solutions from Nvidia, Microsoft, and Forward, which promise human oversight over agents by simulating their next moves in a workflow.

── more in #ai-safety 4 stories · sorted by recency
── more on @sysdig 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/ai-agent-carries-out…] indexed:0 read:2min 2026-07-07 ·