Sysdig published the JadePuffer report this month and it changes the conversation about AI security. This wasn't a jailbreak. Nobody tricked a chatbot. Someone built an offensive AI agent, pointed it at a network, and let it run.
The agent got in through CVE-2025-3248, a missing-authentication flaw in Langflow's code validation endpoint. If you're running Langflow exposed to the internet, that bug lets anyone execute arbitrary Python on your host without logging in. That was the only door the agent needed.
What happened next was fully autonomous.
The agent dumped Langflow's PostgreSQL database. It pulled environment variables, hunted for credential files, and found a MinIO object store attached to the instance. It started escalating anonymous health check first, then admin API calls, then authenticated bucket listing, then pulling specific files like credentials.json and .env.
Here's the part that should concern anyone building with agents: when one of its API calls came back as XML instead of JSON, the agent didn't crash. It rewrote its own parser on the fly, adjusted the request, and kept going. It went from a failed login to a working exploit in 31 seconds.
It dropped a crontab entry beaconing to its C2 server every 30 minutes for persistence. Then it moved laterally.
The actual damage
The agent pivoted to a production MySQL server running Alibaba Nacos. It used root credentials it found during recon and exploited CVE-2021-29441, an authentication bypass that let it create rogue admin accounts.
Then it encrypted 1,342 Nacos service configuration items using MySQL's AES_ENCRYPT(). Dropped the original tables. Created a README_RANSOM table with a Bitcoin wallet and a Proton Mail contact address.
The payloads were self-narrating too. Reasoning chains embedded in the commands, verbose variable names, inline comments explaining each step. That's not how humans write shell commands. It's how LLMs generate code. And it's a detection surface if you know what to look for.
Why this matters for developers
Every agent framework on the market uses the same observe-plan-act loop. Read the environment, decide what to do, take action, check the result, repeat. JadePuffer used that exact pattern. The difference is it was pointed at infrastructure instead of a codebase.
If you're building agents or running AI orchestration tools in production, three things worth doing now: Patch CVE-2025-3248 if you're on Langflow
Audit what your agent infrastructure can reach on the network. If an agent host can talk to your production database, that's a lateral movement path.
Look at runtime scanning for LLM-generated payloads. The self-narrating pattern in JadePuffer's commands is distinctive and detectable.
I wrote a full technical breakdown of the attack chain on the Secra blog: JadePuffer: The First Ransomware Attack Run Entirely by an AI Agent
If you want to test how your own agent holds up against adversarial prompts, Secra's free benchmark fires 190 attack vectors at your endpoint and gives you a score in 60 seconds.