Agentic AI,
Fraud Management & Cybercrime,
Ransomware
Researchers Say the Attack Combined AI Decision-Making With Known Software Flaws

In a groundbreaking incident, researchers have reported that an autonomous artificial intelligence (AI) agent executed a ransomware attack termed the first of its kind, where it effectively exploited vulnerabilities, exfiltrated credentials, and encrypted a production database entirely without human assistance. This unprecedented event underscores the evolving landscape of cybersecurity threats generated by advanced AI technologies.
The cloud security firm Sysdig identified the perpetrator behind this incident as a threat actor known as Jadepuffer. Detailed examination of the incident revealed that AI models, notably large language models, have reached a point where they can independently complete the full life cycle of a ransomware attack. This cycle includes crucial stages such as reconnaissance, credential theft, maneuvering within networks, privilege escalation, and the final act of data encryption.
These findings arrive amid heightened alarm from cybersecurity agencies within the Five Eyes alliance—an intelligence-sharing group comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. In a collective statement issued in June, these agencies expressed concern that the rapid advancements in AI technology are enhancing the speed, scale, and sophistication of cyber threats. They ominously predicted that the timeline for such threats is no longer measured in years but in mere months.
Notably, the cyber intrusion commenced with the exploitation of a critical vulnerability, identified as CVE-2025-3248. This authentication bypass flaw occurs within Langflow’s code validation endpoint, an open-source framework utilized for constructing AI applications and managing agent workflows. Researchers highlighted that this vulnerability enables unauthenticated remote code execution on servers that are inadequately protected. The flaw was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog earlier in May of this year.
Once the Jadepuffer agent gained access to the environment, it commenced a systematic search for cloud credentials, API keys, cryptocurrency wallets, configuration files, and sensitive secrets stored within databases. Notably, the AI agent extracted data from Langflow’s PostgreSQL database to harvest these credentials, scanned internal networks thoroughly, and accessed an exposed MinIO object storage service using default credentials. Researchers indicated that the agent also established persistence by implementing a cron job, designed to signal back to attacker-controlled infrastructure at 30-minute intervals.
With the acquired credentials, the AI agent advanced to a separate server that was publicly accessible, running MySQL and Alibaba’s Nacos configuration platform. It exploited CVE-2021-29441, taking advantage of the Nacos platform’s default JWT signing key to inject a backdoor administrator account into the database prior to initiating the extortion phase.
During the final stages of the attack, the ransomware encrypted a total of 1,342 configuration records associated with Nacos using MySQL’s built-in encryption capabilities. After encrypting the data, it deleted the original tables and replaced them with a ransom note, demanding payment in Bitcoin.
Sysdig experts further noted the adaptive abilities of the AI agent; when the initial attempt to establish an administrator account failed, it demonstrated diagnostic capabilities by generating a working alternative in less than 31 seconds. Researchers also discovered numerous payloads underlining the reasoning behind the agent’s decisions, complete with self-generated annotations explaining its actions.
Importantly, the attack did not employ any zero-day vulnerabilities or unorthodox techniques. Instead, it blended known vulnerabilities, poorly-configured services, default credentials, and publicly acknowledged weaknesses to create a systematic automated intrusion chain. Sysdig concluded their assessment by revealing that there was no evidence indicating that the attackers maintained a decryption key or backup for the encrypted data. This revelation implies that victims faced a catastrophic situation, leaving them unable to recover their data even in cases where ransom payments were made.