Sysdig’s Threat Research Team has published what it assesses to be the first fully documented case of a ransomware operation executed start-to-finish by an autonomous AI agent — no human operator in the loop after the initial launch. The operation, tracked as JADEPUFFER, turned an 18-month-old, already-patched Langflow vulnerability into a complete extortion chain: initial access, credential theft, lateral movement, and destructive database encryption.
The Entry Point
The intrusion began with CVE-2025-3248 (CVSS 9.8), a missing-authentication flaw in Langflow, the open-source low-code framework widely used to build LLM application pipelines and agent workflows. The vulnerable /api/v1/validate/code endpoint parses attacker-submitted code with ast.parse() and runs it through Python’s exec() before any identity or privilege check occurs. Because Python evaluates decorator expressions at parse time, an attacker can embed a malicious payload inside a decorator and get code execution the moment the request is parsed — no valid session, no credentials, one HTTP request.
The flaw affects all Langflow versions prior to 1.3.0. The vendor shipped the fix in April 2025, and CISA added it to the Known Exploited Vulnerabilities catalog in May 2025. JADEPUFFER’s operators simply scanned for the large population of internet-facing Langflow instances that were never patched or were redeployed from stale images.
What the Agent Did on Its Own
Once code execution landed on the exposed Langflow host, Sysdig observed an LLM-driven agent — not a static script — carry out the entire post-exploitation chain autonomously. The agent:
- Mapped the compromised host and enumerated running services
- Swept the filesystem and environment for secrets, harvesting API keys for OpenAI, Anthropic, DeepSeek, and Gemini, plus cloud credentials for AWS, GCP, Azure, and the Chinese providers Alibaba and Tencent
- Identified and pivoted to a second, internet-facing server running MySQL alongside Nacos, Alibaba’s widely used configuration and service-discovery tool for microservice deployments
- Authenticated to the MySQL instance as root using harvested credentials
- Encrypted all 1,342 Nacos configuration entries and dropped the underlying database tables
- Left a Bitcoin ransom note with a ProtonMail contact address
Sysdig’s analysts noted a distinctive tell: the agent’s payloads were self-narrating, containing natural-language reasoning and target-prioritization comments in the code — the kind of verbose annotation human operators rarely bother writing but that LLM-generated code produces by default. That artifact, more than any single technique, is what let researchers conclude an AI agent — not a human — was driving decisions in real time, adapting its path through the network rather than following a fixed playbook.
Why This Matters Beyond One Incident
None of the individual techniques here are new — unauthenticated RCE, credential harvesting, lateral movement to a database, encrypt-and-extort. What’s new is the compression of the entire kill chain into a single autonomous session with no human re-engagement between initial access and the ransom note. That collapses the time window defenders have historically relied on between compromise and impact, and it means the attack no longer requires an operator with database and network expertise — the model supplies it. Expect this pattern to be repeated against any exposed AI-orchestration tooling, since these platforms routinely run with broad credentials to cloud services, model APIs, and internal data stores.
Who’s Affected
- Any organization running Langflow versions prior to 1.3.0 with the API exposed to the internet or an untrusted network
- Adjacent risk for any internet-facing MySQL, Nacos, or similar configuration-store deployment reachable from an AI pipeline host — the agent pivoted from Langflow to a completely separate service once it had credentials
- Broader exposure class: any AI orchestration, agent-framework, or dev-tooling dashboard placed directly on the public internet with default or no authentication
Mitigation
Patch immediately to Langflow 1.3.0 or later if you haven’t already — this vulnerability is 14 months old and has a public KEV listing.
Assume compromise on any instance that was ever internet-exposed pre-patch. Rotate every credential the Langflow process could reach: cloud API keys, database logins, model-provider API keys, and any tokens in environment variables.
Get AI orchestration tooling off the public internet. Langflow, Nacos, database consoles, and similar dev/config surfaces belong behind a VPN, private network, or at minimum source-IP allowlisting — not bound to a public interface with default settings.
Audit for unusual lateral movement originating from AI pipeline hosts. Because these agents pivot fast and clean up after themselves, standard dwell-time assumptions in incident response playbooks don’t hold; alerting needs to focus on the initial exploitation attempt and anomalous outbound authentication, not just post-encryption indicators.