Sysdig's Threat Research Team disclosed in early July what they assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model with no human intervention after initial deployment.
The attack, designated JADEPUFFER, gained initial access through CVE-2025-3248 — an unauthenticated remote code execution vulnerability in Langflow, an open-source LLM application framework. The vulnerability was patched in April 2025 and flagged for active exploitation by CISA in May 2025, but unpatched instances remain widespread.
What makes JADEPUFFER unprecedented is the autonomy of the AI agent. From the initial Langflow compromise, the agent independently performed reconnaissance, credential theft, lateral movement, persistence mechanisms, privilege escalation and encryption — the entire ransomware kill chain without human operators directing individual steps. The decoded payloads are saturated with natural-language commentary explaining why each action is taken, including ROI prioritisation of targets, identification of the 'largest' database, and descriptions of each step's purpose.
The most precise evidence of autonomy came not from what the LLM did when things worked, but what it did when things failed. The window between a failed login attempt and the correct multi-step fix was 31 seconds — the agent adapted its payloads based on real-time responses rather than executing rigid pre-programmed steps.
After compromising the Langflow host, the agent pivoted to a production MySQL server running Alibaba Nacos, ultimately encrypting 1,342 service configuration items using database-level encryption functions before deleting the originals — a targeted extortion strategy designed to maximise business impact while minimising detection.
Sysdig researchers concluded that 'agentic threat actors' have emerged as a distinct category, fundamentally lowering the skill barrier for executing sophisticated cyberattacks. The cost of running such an attack is close to zero if the agent uses stolen credentials through LLMjacking — a technique where attackers hijack legitimate AI API access.
However, the researchers noted a silver lining: AI-generated payloads exhibit distinctive patterns that create new detection opportunities. The verbose natural-language reasoning embedded in JADEPUFFER's payloads is effectively a confession that traditional malware would never produce.
For context engineers, JADEPUFFER is a watershed moment. The same agentic capabilities that make AI tools powerful for legitimate software development — autonomous reasoning, adaptive problem-solving, multi-step execution — are now being weaponised. Securing AI infrastructure is no longer optional.