Researchers at Sysdig say they have observed, for the first time, a ransomware attack carried out almost entirely by an AI agent. According to the security firm, the system independently combined reconnaissance, lateral movement, credential theft, and database extortion, without any visible human intervention during the attack.
The attack, which Sysdig has named JADEPUFFER, began by exploiting a known vulnerability in Langflow, an open-source platform for developing AI workflows. Through the vulnerability CVE-2025-3248, the attacker gained unauthenticated access to a publicly accessible Langflow server, after which Python code could be executed on the system. The vulnerability was patched in April 2025 and was designated shortly thereafter by the U.S. CISA as an actively exploited vulnerability. AI workflow servers are an attractive target because they often contain API keys, cloud credentials, and other sensitive data and are frequently connected directly to the internet, according to BleepingComputer.
From that point on, the AI agent reportedly explored the network autonomously. In doing so, it collected, among other things, API keys from AI platforms, cloud credentials, database data, and other sensitive configuration files. The agent then examined internal storage environments, searched for additional systems, and installed a mechanism to maintain access for future use.
Autonomously correcting errors
According to Sysdig, JADEPUFFER stands out primarily because the AI did not simply execute a pre-written script. The researchers observed that the generated code continuously documented why certain steps were taken and that the agent independently analyzed and corrected failed actions.
One example is the creation of an administrator account on a configuration server. After an initial attempt failed, the AI independently modified the code within about half a minute, generated a new password hash, and re-ran the entire procedure, after which the login attempt succeeded. In other parts of the attack as well, error messages were automatically processed and translated into adapted attack techniques. During the attack, the AI also independently adjusted the way data was read from a MinIO storage environment when an API responded differently than expected.
Database targeted in extortion attempt
According to the research, the ultimate target was not a Langflow server, but a separate production database running an Alibaba Nacos configuration service. After the AI agent gained access, it first attempted to escape the container environment and obtain additional privileges. The software then encrypted more than 1,300 configuration items using MySQL’s built-in encryption functions. It subsequently deleted the original tables and placed a ransom note in the database.
Notably, according to the researchers, the encryption key used was neither stored nor transmitted anywhere. As a result, victims would likely be unable to recover their data, even if the ransom demand were met. Sysdig also points out a noteworthy detail: the Bitcoin address in the ransom note is a sample address commonly found in Bitcoin documentation. It’s possible that the AI extracted this address from training data rather than using an actual wallet address controlled by the attackers.
Familiar techniques, new combination
Although the individual attack techniques are not new, Sysdig views their combination as a significant development. The AI agent was able to independently combine existing vulnerabilities into a single attack chain. According to the researchers, this significantly lowers the technical barrier to carrying out complex ransomware campaigns.
At the same time, the researchers themselves offer some caveats. Their conclusions are based on the analysis of a single incident and on the artifacts they collected. There is currently no independent confirmation that this is indeed the first fully autonomous ransomware attack. At the same time, they also see an advantage for defenders. Because AI-generated attack code often describes in detail which steps are taken and why, this may create new leads for detecting such attacks more quickly.