An autonomous AI agent broke into a server, harvested credentials, moved across a network, planted a backdoor, destroyed a production database and left a ransom note, running the intrusion end to end at machine speed while a person did nothing more than choose the target and switch it on. The security firm Sysdig documented the case on 1 July 2026 and assessed it as the first known ransomware operation executed by a large language model rather than a human operator.
Sysdig named the operator JadePuffer and classed it as an "agentic threat actor," its term for an attacker whose capability comes from an AI agent instead of a human-driven toolkit. In one logged sequence the agent went from a failed login to a working fix in 31 seconds. Across the operation it ran more than 600 distinct payloads in a compressed window. None of the techniques it used were new. What was new is that a model chained them together on its own.
A human was still involved, and the distinction matters. Michael Clark, Sysdig's director of threat research, told CyberScoop that a person set up and pointed the operation, provisioned the command-and-control server and the staging server, chose the victim, and supplied a root database credential that the agent did not steal on site. The autonomy sits inside the intrusion, the reconnaissance, the credential theft, the lateral movement, the persistence, the encryption and the destruction, not in the decision to attack.
Why Sysdig blames a model, not a person
Sysdig rested its assessment on four behaviours it said human operators do not typically produce.
A backdoor-admin sequence against the target's Nacos service was captured in exact timestamps. At 19:34:24 UTC the agent inserted a rogue administrator account with a password hash generated through a subprocess call. Twelve seconds later it tried to log in, and failed. Instead of firing blind retries, it tested default credentials and regenerated the hash a different way at the same time. Nineteen seconds after that it issued a fix, switching from the subprocess call to a direct library import, confirming the library was loadable, deleting the broken account and rebuilding it correctly. At 19:35:18 the login succeeded. The corrective payload was 15 lines of coordinated code that deleted, diagnosed, rebuilt and reinserted. A human reading the error, identifying the root cause, writing the fix and submitting it takes far longer.
When an object-store request returned XML instead of the JSON the agent expected, the next payload parsed XML. When a database drop failed because of a foreign-key constraint, the following payload disabled the constraint check, ran the drop and switched the check back on, a fix that requires understanding why the command failed rather than only that it had.
The agent's payloads were also self-narrating, carrying running natural-language commentary that explained the purpose and priority of each step, including which databases were "highest-ROI" and which was "largest." Human operators do not annotate disposable one-line scripts this way. LLM-generated code does it by default, and Clark wrote that models produce these annotations reflexively where human operators rarely bother.
At several points the agent read free-text context planted in the target environment and acted on its meaning, behaviour that only makes sense if the text was understood rather than pattern-matched, and it recurred across sessions weeks apart.
The ransom note carried the Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, the canonical example wallet embedded across Bitcoin developer documentation and the Bitcoin core repository, the kind of placeholder that saturates the training data a model learns from. Sysdig flags it as the one signal it cannot resolve. Blockchain records show it is also a live wallet, with 737 confirmed transactions and roughly 46 BTC moved through it over its history, a current balance of zero, and every deposit swept straight out. That leaves two readings. Either the model reproduced the address from its training data and the wallet belongs to a stranger who sweeps unsolicited deposits, or the operator deliberately configured a controlled wallet that happens to match the documentation example. Sysdig says it cannot tell which, because it has no view of the agent's system prompt or configuration.
How the intrusion ran
JadePuffer entered through an internet-facing deployment of Langflow, an open-source tool for building LLM applications, by exploiting CVE-2025-3248, an unauthenticated flaw in a code-validation endpoint that lets an attacker run arbitrary Python on the host. The flaw carries a severity score of 9.8 out of 10. It was patched in Langflow version 1.3.0 in March 2025 and added to the U.S. Cybersecurity and Infrastructure Security Agency's known-exploited list on 5 May 2025, more than a year before this attack. Langflow servers are an attractive entry point because they are AI-adjacent: they routinely hold provider API keys and cloud credentials, and they are often stood up fast for a prototype with no network controls around them.
Once it had code execution, the agent enumerated the host and swept it for secrets across several categories at once. It pulled for LLM provider API keys, and Sysdig names OpenAI, Anthropic, DeepSeek and Gemini among the targets. It scanned for cloud credentials with explicit coverage of Chinese providers, Alibaba, Aliyun, Tencent and Huawei, alongside AWS, Google and Microsoft. It looked for cryptocurrency wallets and seed phrases, dumped Langflow's own backing database to harvest stored credentials and user records, then deleted its staging files.
It also raided a MinIO object store, a self-hosted, S3-compatible service rarely seen used in attacks. Probing the canonical internal addresses with MinIO's default credentials, minioadmin:minioadmin, the agent listed every bucket, prioritised a Terraform-state bucket and an internal config bucket, and pulled a credentials file by name, saving it to disk. When its first request returned XML where it expected JSON, it adapted its parser and re-issued the request, escalating from an anonymous health check to authenticated bucket listing to a targeted grab of files whose names suggested secrets. Then it installed a scheduled task on the Langflow host that beaconed to attacker infrastructure every 30 minutes on port 4444.
The Langflow server was a staging post. Its real objective was a separate internet-exposed production server running a MySQL database and Alibaba's Nacos configuration service. The agent reached it using root credentials that Sysdig did not observe being harvested on site, the credential Clark said points to a prior human compromise.
Old holes, automated
Nacos gave the agent an easy route in through weaknesses years old. The service still used a default signing key that has been public since 2020, which makes forging an administrator token straightforward, and it remained open to an authentication-bypass flaw, CVE-2021-29441, first disclosed in 2021. The agent attacked through several of these vectors at once: exploiting the bypass, forging a token with the default key, and, with root database access, injecting a backdoor administrator straight into the Nacos backing store.
Before the destruction it ran a container-escape survey, testing whether it could write and read files through the database, whether it could reach the Docker socket, and whether it could break out through a MySQL user-defined-function path. It ran the probes over roughly eight minutes, then wrote an explicit completion marker before moving on.
Then it encrypted all 1,342 Nacos configuration items using a built-in database function, dropped the original configuration and history tables, and created the README_RANSOM table holding the demand, the Bitcoin address and the Proton Mail contact. The ransom note claimed AES-256, though the function Sysdig observed defaults to a weaker mode; the effect on the victim is the same. The encryption key was assembled from random values, printed to the screen once and never saved or sent anywhere. A victim who pays recovers nothing, because the key no longer exists. From there the agent escalated from deleting rows to dropping entire database schemas, narrating which it judged highest value as it went.
One claim in the code remains the agent's word alone. Before issuing its drop commands, the agent commented that the data had already been copied out to a staging server. Sysdig saw no evidence any data left the network, and the single address named as the destination shows no sign of receiving a backup. The destruction is documented. The theft is asserted.
What defenders take from it
The self-narration that gives this attack away is a defence today and may not be one tomorrow. Because the commentary is default model behaviour rather than a fixed trait, an operator could instruct the next agent to run silent, and the signature disappears. Johan Edholm, co-founder of the security firm Detectify, told Dark Reading the attack was more evolution than invention, since exploiting an exposed service, stealing credentials and wiping databases are all familiar moves, and predicted that as agentic tooling becomes packaged and reusable it will spread from skilled actors to less capable ones, who face none of the procurement or compliance drag that slows legitimate adoption.
Sysdig's framing of the stakes is blunt, the skill floor for running ransomware, it wrote, has dropped to whatever it costs to run an agent, and if that agent runs on credentials stolen through the theft of AI compute, the cost to an attacker approaches zero. Agents also make spraying the entire back catalogue of historical vulnerabilities effectively free, which pushes more exposure onto the long tail of unpatched, internet-facing systems.
The fixes JadePuffer defeated are not new. Patch Langflow and keep code-execution endpoints off the public internet. Change the Nacos default key and never let the service connect to its database as root. Keep database administration ports closed to the outside and enforce source-IP restrictions on them. Apply egress controls so a compromised application host cannot beacon out or reach an external database. Hold offline backups that cannot be reached with the credentials an attacker already holds, and test that they restore.