Ransomware operations have always required human planning, target selection, and script generation. A new report from cloud security firm Sysdig suggests that an AI agent has now taken over that entire role for the first time. The researchers named the attacker JADEPUFFER and describe it as an agentic threat actor whose attack capability comes from an AI model, not a person.
The report details an extortion attack where a language model broke into a server on its own, stole credentials, and destroyed databases. No human appeared to be at the controls at any point.
Exploiting a known vulnerability
The initial entry came through a known vulnerability in Langflow, a tool widely used for building AI applications. The flaw, tracked as CVE-2025-3248, allows attackers to run their own code on the server without authentication. Langflow patched it in April 2025, meaning a fix had been available for over a year. Shortly after the patch, the U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its catalog of actively exploited vulnerabilities, an official warning to update immediately.
In this case, the patch was never applied. The agent exploited the flaw and worked its way forward from that first server. It collected credentials, set up persistent access on the system, and eventually targeted a separate production server running a MySQL database. That database was the actual target of the attack.
Self-correction in 31 seconds
The most convincing evidence that no human was typing, according to Sysdig, comes down to a single moment. The agent tried to create an admin account but the login attempt failed. Thirty one seconds later, it sent a corrected command that diagnosed the error, deleted the broken account, and built a working one from scratch.
The researchers note that a human reading an error message, figuring out the cause, and writing a new script would take much longer. Another tell was that the AI generated code included natural language comments explaining why it wanted to delete a particular database first. Human attackers almost never write comments like that, Sysdig says. AI models do it reflexively.
Stay updated
Get the day's AI and automation news in your inbox. No spam, unsubscribe anytime.
The agent ended up encrypting 1,342 configuration entries and deleting the original tables. It left a ransom note demanding Bitcoin and listed a Proton Mail address for contact. But the decryption key was displayed only once and was never saved or sent anywhere. Paying the ransom would not have recovered the data. The Bitcoin address itself turned out to be a well known example address from developer documentation, likely pulled directly from the model's training data.
Old mistakes, machine speed
None of the individual techniques used in the attack were new. The attack exploited long known vulnerabilities and weak default passwords. What is new is that an AI model chained all of these elements together into a complete extortion operation on its own. That lowers the barrier to running ransomware down to the cost of operating an AI agent.
No independent confirmation from the victim, law enforcement, or other security firms exists so far. Sysdig also sells products designed to detect exactly these kinds of automated attacks.
Shane Barney, chief information security officer at Keeper Security, gave a sober assessment to Hackread. He said JADEPUFFER should be read less as science fiction and more as a credential management failure at machine speed. The deciding factor was not novel attack techniques. It was exposed secrets, unchanged default passwords, wide open privileged access, and no real time monitoring of active sessions.
Barney pointed to a Keeper study finding that 72 percent of organizations cannot detect credential misuse in real time and often do not notice unauthorized privileged access until hours after it starts. That gap becomes dangerous when an AI agent can go from a failed login to a working admin account in under a minute.
Barney's direct takeaway is that privileged access needs to be time limited and scoped to individual tasks. Secrets belong in protected vaults with regular rotation. And sessions need to be monitored while they are active, not after the damage is done.

