A ransomware campaign identified as JadePuffer may represent the first documented instance of an attack conducted entirely by an autonomous artificial intelligence agent, according to cloud security firm Sysdig.
The operation, detailed in a report published by the company, allegedly used a large language model agent to perform the full sequence of an intrusion—from initial reconnaissance and credential theft through to lateral movement, privilege escalation and data encryption—without direct human intervention at each stage.
Sysdig researchers said the AI agent demonstrated adaptive behaviour during the attack, adjusting its approach when encountering obstacles in a manner comparable to human operators. In one documented sequence, the system moved from a failed login attempt to a successful workaround within 31 seconds.
The attack chain began by exploiting CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, an open-source framework used for building applications based on large language models. The vendor issued a patch for the flaw on 1 April 2025, but by early May, the US Cybersecurity and Infrastructure Security Agency had flagged it as actively exploited against internet-facing endpoints, which are often deployed with minimal security hardening but may contain cloud credentials and API keys.
Following initial code execution, the agent extracted data from Langflow's PostgreSQL database, gathered host information, searched for environment variables and sensitive files, retrieved credentials and enumerated a MinIO object storage system. Sysdig highlighted the agent's capacity to adjust in real time: when one API request returned XML rather than the expected JSON format, the subsequent payload modified its parsing logic accordingly.
To maintain access, the attacker established persistence by installing a scheduled task on the Langflow server configured to contact external infrastructure every 30 minutes. From there, the operation moved laterally to a production MySQL server running Alibaba Nacos, a naming and configuration service platform, using root credentials whose origin Sysdig could not confirm.
The agent then targeted Nacos with multiple payloads, including one exploiting CVE-2021-29441, an authentication bypass vulnerability that enables the creation of unauthorised administrator accounts. After probing for methods to escape containerised environments, the system deployed the ransomware payload.
According to the report, the agent encrypted 1,342 Nacos service configuration items using MySQL's AES_ENCRYPT() function before deleting the original configuration and history tables. A ransom demand was inserted into a newly created database table, which included a Bitcoin payment address and a Proton Mail contact.
The ransom note claimed the data had been encrypted using AES-256, though Sysdig researchers believe the weaker AES-128-ECB mode was more likely employed. The encryption key was randomly generated but, according to the analysis, neither stored locally nor transmitted to the attacker—a detail that would complicate any potential decryption, even if a ransom were paid.
Sysdig noted that the Bitcoin address listed in the ransom demand is a widely used example address found in public documentation, possibly reproduced by the language model from its training data. Other indicators suggesting AI control included detailed natural-language comments embedded in the generated code describing operational reasoning, and rapid iteration in response to specific errors rather than simple retries.
The researchers concluded that the incident demonstrates the arrival of what they termed "agentic threat actors"—autonomous systems capable of conducting damaging cyberattacks with reduced need for technical expertise. However, they also noted that the operational characteristics of large language model agents may create new detection opportunities for security systems, as their behaviour patterns differ from traditional attack methods.
The case raises questions about the adequacy of current defences against AI-driven threats, particularly in environments where vulnerabilities remain unpatched and security monitoring is limited. It also highlights the expanding attack surface created by the rapid deployment of AI development frameworks, which may be exposed to the internet with insufficient hardening.