Skip to main content

JADEPUFFER Is the First LLM-Driven Ransomware. Here's What Actually Happened.

Close-up of precision lockpicks inserted into a brass deadbolt keyhole

Earlier this month, Sysdig published research on JADEPUFFER, what they assess to be the first end-to-end agentic ransomware operation: a full attack chain from initial access to data destruction, driven by an LLM agent with no human operator at the keyboard. I've been tracking this story since it dropped July 2, and I want to walk through what actually happened before the hot takes bury the technical detail.

What the Attack Actually Did

The entry point was CVE-2025-3248, a missing-authentication vulnerability in Langflow's code validation endpoint. CVSS score of 9.8. Langflow is the drag-and-drop flow builder a lot of teams use to wire together LLM pipelines. The flaw lets an unauthenticated caller execute arbitrary Python on the host. Game over for initial access.

Once in, the agent ran a methodical sweep: dumped Langflow's PostgreSQL database, harvested environment variables, scraped credentials from config files, inventoried a MinIO object store. The credential haul was wide. API keys for OpenAI, Anthropic, DeepSeek, and Gemini. Cloud credentials spanning AWS, GCP, Azure, Alibaba, Tencent, Huawei, and Aliyun. Crypto wallet keys. Database logins. The agent wasn't grabbing everything indiscriminately; Sysdig's analysis shows it was prioritizing targets by perceived value.

Then it established persistence: a cron job beaconing to attacker infrastructure every 30 minutes. From there, lateral movement to a production MySQL instance running Alibaba Nacos. Against Nacos it ran two separate attacks: CVE-2021-29441 (an auth bypass that creates rogue admin accounts) and a JWT forgery using Nacos's hardcoded default signing key. Both worked.

The end state: 1,342 Nacos service configuration items encrypted, originals deleted, an extortion table created with a ransom demand, payment wallet, and contact email. The encryption key was generated locally and discarded, so there's no recovery path even if you pay.

The 31-second moment is the part worth sitting with. At one point the agent hit an error creating a backdoor account. It diagnosed the failure, adapted its approach, and returned with a working payload in 31 seconds. The agent wasn't running a fixed playbook. It was problem-solving mid-attack.

The Self-Narrating Payload

Sysdig's researchers noted something unusual in the decoded payloads: they're full of natural-language commentary. The code explains why it's targeting a specific database (it identified the "largest" one), describes each step's purpose, and prioritizes targets by estimated ROI. Human operators don't annotate their attack code like that. LLMs do it by default, because they're generating code with prompts.

This is actually a detection signal. An EDR or runtime monitor watching for natural-language reasoning text inside decoded payloads will catch this class of attack. The narration is a fingerprint. It also tells you something about the architecture: the agent is generating code dynamically in response to what it finds, not executing pre-baked scripts. The whole attack is a live ReAct loop against a real network. Sysdig's full analysis has the payload excerpts if you want to see what that looks like.

Why Your Workflow Infrastructure Is Now a Priority Target

The thing that should give builders pause is that Langflow-style tools are exactly the kind of host you'd want to hit first. They sit on internal networks with credential access to everything: model APIs, cloud accounts, databases, object stores. That's intentional design, they need that access to wire together pipelines. But it also makes them high-value targets with a wide blast radius.

CVE-2025-3248 is patched. But the pattern isn't going away. If you're running Langflow, n8n, Flowise, or any self-hosted orchestration layer, that host needs to be treated with the same rigor as a production database. Segment it. Constrain its outbound reach. Audit exactly what credentials live in its environment.

The LLMjacking angle compounds this. JADEPUFFER collected API keys for six model providers. An attacker who uses stolen credentials to fund future agent runs has near-zero cost for subsequent attacks. You end up funding the infrastructure being used against you.

What to Actually Do

A few concrete steps, not theoretical:

  • Patch CVE-2025-3248 now if you haven't. Check which version of Langflow you're running.
  • Rotate your Nacos JWT signing key. CVE-2021-29441 is from 2021. If you haven't changed the default key since deployment, it's been a door that whole time.
  • Audit the credentials in your AI workflow tool's environment. The list of what JADEPUFFER harvested reads like a checklist of what's in the .env file of most LLM apps: model API keys, cloud credentials, database passwords.
  • Add detection for bulk config reads from Nacos, unexpected cron job creation, outbound beaconing from workflow servers, and lateral movement between your orchestration layer and production databases.
  • If you're using a managed platform instead of self-hosting, find out what network isolation and credential scoping your provider actually offers. SecurityWeek's coverage has additional context on the broader implications.

I haven't personally run a hardening audit against a Langflow or n8n instance. After this, I'm going to. The interesting thing about JADEPUFFER isn't that AI made the attack magical. It's that the attack chain is exactly what you'd build if you were writing an agent to do authorized pentesting, and someone used that same pattern offensively. The gap between "helpful autonomous agent" and "adversarial autonomous agent" turns out to be smaller than most of us would like.

Comments

Popular posts from this blog

AngularJs call one method of controller in another controller .

I have seen many question about calling one method of one controller in another controller or extending scope of one controller in another controller.so here are the ways. if you want to call one controller into another or extending scope of controllers there are four methods available $rootScope.$emit() and $rootScope.$broadcast() If Second controller is child ,you can use Parent child communication . Use Services Kind of hack - with the help of angular.element() 1. $rootScope.$emit() and $rootScope.$broadcast() Controller and its scope can get destroyed, but the $rootScope remains across the application, that's why we are taking $rootScope because $rootScope is parent of all scopes . If you are performing communication from parent to child and even child wants to communicate with its siblings, you can use $broadcast If you are performing communication from child to parent ,no siblings invovled then you can use $rootScope.$emit HTML <body ng-app = ...

Closures in javascript and how do they work ?

JavaScript Closures for Dummies  Closures Are Not Magic This page explains closures so that a programmer can understand them — using working JavaScript code. It is not for gurus or functional programmers. Closures are  not hard  to understand once the core concept is grokked. However, they are impossible to understand by reading any academic papers or academically oriented information about them! This article is intended for programmers with some programming experience in a mainstream language, and who can read the following JavaScript function: function sayHello ( name ) { var text = 'Hello ' + name ; var sayAlert = function () { alert ( text ); } sayAlert (); } An Example of a Closure Two one sentence summaries: a closure is the local variables for a function — kept alive  after  the function has returned, or a closure is a stack-frame which is  not deallocated  when the function returns (as if a 'stack-fr...

250,000 AI Agent Instances Exposed on the Internet — Is Yours One of Them?

If You're Running OpenClaw, You May Want to Read This A public watchboard has surfaced listing over 250,000 OpenClaw instances that are directly reachable from the internet. Some of these instances have leaked credentials. Many are running on infrastructure already flagged for known CVEs and threat actor activity. This isn't theoretical. It's happening right now. You can check the exposure list yourself at openclaw.allegro.earth . Why This Is a Big Deal OpenClaw is a powerful AI agent framework. That power comes with serious responsibility. A typical OpenClaw deployment runs with: Personal API keys — OpenAI, Anthropic, Google, cloud provider credentials Broad system permissions — file access, shell execution, network requests Autonomous execution capabilities — the agent can act without human approval Complex codebases — large attack surfaces that haven't been fully audited When one of these instances is publicly reachable without authentication...