{"slug": "sysdig-says-jadepuffer-carried-out-ransomware-with-an-ai-agent", "title": "Sysdig says JADEPUFFER carried out ransomware with an AI agent", "summary": "Sysdig's Threat Research Team observed what it assesses as the first documented ransomware operation executed end-to-end by a large language model agent, named JADEPUFFER. The agent exploited a known vulnerability in an exposed Langflow instance, harvested credentials, moved laterally, and encrypted databases. The attack underscores the risk of AI-driven automation in cyberattacks, though Sysdig's claim lacks independent confirmation.", "body_md": "[Loris Degioanni](https://www.sysdig.com/about?ref=runtimewire)'s [Sysdig](https://www.sysdig.com/?ref=runtimewire) says its Threat Research Team observed what it assesses as the first documented ransomware operation executed end-to-end by a large language model agent, a claim the cloud security vendor laid out in a [threat report](https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion?ref=runtimewire) and [Security Affairs covered](https://securityaffairs.com/194713/ai/jadepuffer-first-end-to-end-ai-driven-ransomware-operation.html?ref=runtimewire) on July 3.\n\nSysdig named the operator JADEPUFFER. Sysdig says the agent exploited an internet-facing [Langflow](https://github.com/langflow-ai/langflow?ref=runtimewire) instance, harvested credentials, moved through internal infrastructure, compromised a separate production database environment, encrypted configuration data and destroyed databases. The date of the intrusion is not disclosed in the public materials, and the victim is unnamed. Sysdig's first-documented framing is Sysdig's assessment, with no independent public confirmation from the victim, law enforcement, or another incident response firm.\n\nDegioanni is a relevant protagonist here because Sysdig was built around the idea that runtime behavior shows defenders what is actually happening inside cloud systems. Sysdig says Degioanni founded the company in 2013, created the sysdig open source troubleshooting tool and Falco, and co-created Wireshark. Sysdig's own origin story says it focused on runtime to give developers and defenders a system-call-level view into containers.\n\nThat history matters because JADEPUFFER is useful evidence for Sysdig's current commercial argument. On May 6, 2026, Sysdig introduced [headless cloud security](https://www.sysdig.com/press-releases/sysdig-headless-cloud-security?ref=runtimewire), a model that moves CNAPP workflows into AI coding platforms and programmatic interfaces. Degioanni wrote on Sysdig's homepage that the company built around a belief that security should reflect how people and systems actually work, and that it focused on runtime because that is where the highest-fidelity data lives. JADEPUFFER gives that thesis a sharper edge: if attack automation can act through exposed AI and cloud services, defense built for dashboard queues and manual triage has less time to matter.\n\n### The attack chain started with an old cloud hygiene failure\n\nJADEPUFFER did not rely on a novel zero-day in Sysdig's account. The entry point was [CVE-2025-3248](https://nvd.nist.gov/vuln/detail/CVE-2025-3248?ref=runtimewire), a missing-authentication flaw in Langflow that allowed unauthenticated code execution on vulnerable hosts. CISA added the bug to its Known Exploited Vulnerabilities catalog in May 2025, per Security Affairs.\n\nThat is the sober part of the report. The attack succeeded because the environment had exposed AI workflow infrastructure, stored secrets, reachable internal services, unchanged MinIO default credentials, a production database path, and root MySQL access whose origin Sysdig says it did not observe. Sysdig's own conclusion is plain: the individual techniques were old, ordinary and widely known.\n\nThe new part is the chaining. Once inside the Langflow host, Sysdig says JADEPUFFER enumerated the system and swept for secrets across LLM provider keys, cloud credentials, cryptocurrency wallet material, database credentials and configuration files. The report says the agent also dumped Langflow's backing Postgres database for stored credentials, API keys and user records, staged the results locally, reviewed them and deleted the staging files.\n\nJADEPUFFER then probed internal services from the Langflow host. One target was [MinIO](https://min.io/?ref=runtimewire), an S3-compatible object store that Sysdig says was reachable at common container deployment addresses and still used the default `minioadmin:minioadmin`\n\ncredentials. The agent listed buckets, looked at objects with names suggesting credentials, and fetched `.env`\n\nand `credentials.json`\n\nfiles. When a request expecting JSON returned XML, Sysdig says the agent changed its parser to handle the S3 XML response and retried.\n\nThat adaptation is the core of Sysdig's case. A fixed scanner can run a checklist. Sysdig says JADEPUFFER read output, diagnosed failure and chose a different next step.\n\n### The 31-second correction is the strongest evidence\n\nSysdig's report points to patterns consistent with LLM-driven autonomy: self-narrating code, fast failure correction, and comprehension of natural-language context. The most concrete example is a Nacos administrator account sequence.\n\nThe production target, according to Sysdig, ran MySQL and Alibaba Nacos, a configuration and service-discovery system common in microservice deployments. JADEPUFFER attacked Nacos through multiple paths, including [CVE-2021-29441](https://nvd.nist.gov/vuln/detail/CVE-2021-29441?ref=runtimewire), forged JWTs using a known default signing key, and direct insertion of a backdoor administrator into the Nacos backing database after connecting to MySQL as root. Sysdig says the source of the root credentials is unknown.\n\nSysdig's timeline shows the agent inserted an admin user, attempted login, failed, tested default credentials, then deleted and recreated the user with a simpler password. The window between the failed login and the coordinated fix was 31 seconds. Sysdig says the corrective payload was about 15 lines of code that diagnosed, deleted, rebuilt and reinserted the account.\n\nThe sequence is more persuasive than the headline claim because it is falsifiable behavior. The agent did not merely retry. It changed the implementation based on the failure mode. Sysdig says similar behavior appeared elsewhere, including the MinIO XML parser switch.\n\n### The ransomware was destructive even by ransomware standards\n\nAfter reaching the database environment, Sysdig says JADEPUFFER encrypted configuration data and dropped original tables in the Nacos backing database. The report documents encryption and destruction; the public materials do not name the victim or date the intrusion.\n\n### Sysdig's product timing is impossible to miss\n\nSysdig's JADEPUFFER report lands about two months after its headless cloud security launch, and the fit with Degioanni's message is exact. In Sysdig's launch materials, Degioanni said security teams need better outcomes instead of more dashboards, and Sysdig described a model where AI agents use runtime telemetry to investigate, generate fixes and coordinate response across existing workflows.\n\nJADEPUFFER is the mirror image of that pitch. An attacker agent used exposed runtime access, gathered context, shifted tactics, and completed work faster than a human-heavy process could comfortably follow. Sysdig's interest in that interpretation is obvious, and readers should keep the technical caveats in view: the campaign abused patched vulnerabilities, default credentials and exposed management surfaces. The report does not prove that modern ransomware operators need sophisticated AI to succeed against weak infrastructure.\n\nIt does show why AI agent security is moving from product copy into incident response. Cloud teams have spent years accepting fast-moving internal services, reachable databases, broad secrets in application environments and delayed patching as manageable debt. JADEPUFFER shows how that debt changes when an agent can run through the backlog of known weaknesses without waiting for an operator to decide each step.\n\nFor founders building AI infrastructure, the lesson is immediate. Langflow-style orchestration servers increasingly sit near provider keys, model credentials, cloud secrets and internal services. If those systems are internet-facing, lightly segmented or stocked with long-lived credentials, they become a practical starting point for automated intrusion. Sysdig's report gives defenders a useful detection angle too: LLM-generated payloads often narrate intent, explain choices and leave structured comments that can become signal.\n\nDegioanni's old bet was that defenders needed to observe what software was doing at runtime, not what a diagram said it should be doing. JADEPUFFER gives that bet a harsher proof point. The agent did ordinary attacker work with unusual autonomy, and the target's ordinary cloud mistakes were enough.", "url": "https://wpnews.pro/news/sysdig-says-jadepuffer-carried-out-ransomware-with-an-ai-agent", "canonical_source": "https://runtimewire.com/article/sysdig-jadepuffer-agentic-ransomware-ai", "published_at": "2026-07-04 15:27:46+00:00", "updated_at": "2026-07-04 15:54:47.855800+00:00", "lang": "en", "topics": ["artificial-intelligence", "large-language-models", "ai-agents", "ai-safety", "ai-research"], "entities": ["Sysdig", "JADEPUFFER", "Loris Degioanni", "Langflow", "MinIO", "CISA", "Security Affairs", "CVE-2025-3248"], "alternates": {"html": "https://wpnews.pro/news/sysdig-says-jadepuffer-carried-out-ransomware-with-an-ai-agent", "markdown": "https://wpnews.pro/news/sysdig-says-jadepuffer-carried-out-ransomware-with-an-ai-agent.md", "text": "https://wpnews.pro/news/sysdig-says-jadepuffer-carried-out-ransomware-with-an-ai-agent.txt", "jsonld": "https://wpnews.pro/news/sysdig-says-jadepuffer-carried-out-ransomware-with-an-ai-agent.jsonld"}}