a daily news desk
Deployments

JADEPUFFER: an LLM ran a full ransomware operation end-to-end, and left no key behind

Sysdig says an autonomous agent chained a Langflow RCE, credential theft, a Nacos takeover and 1,342 encrypted config items — narrating itself the whole way.

Sysdig’s Threat Research Team says an autonomous LLM agent ran a full ransomware operation from initial access to extortion note without a human in the loop, encrypting 1,342 Nacos configuration items on a live victim before printing the decryption key once and discarding it. The team is calling the operator JADEPUFFER, and the report reads less like an intrusion timeline than a shift log written by the intruder itself.

Entry was CVE-2025-3248, an unauthenticated RCE in Langflow’s code-validation endpoint patched in version 1.3.0. CISA added the bug to its Known Exploited Vulnerabilities list in May 2025; the victim hadn’t patched. From there the agent dumped Langflow’s PostgreSQL database and swept the host for provider API keys (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials across Alibaba, Aliyun, Tencent, Huawei, AWS, Azure and GCP, crypto wallets and database logins. It raided a MinIO store still running default credentials and dropped a crontab beacon back to its infrastructure every 30 minutes.

Then it pivoted. The agent logged in as root to a separate internet-exposed MySQL and Alibaba Nacos server (Sysdig says it never observed where those credentials came from), exploited CVE-2021-29441 against Nacos, and forged a JWT using the default signing key that Nacos has shipped unchanged since 2020. When a backdoor-admin login failed, the agent diagnosed and fixed it in 31 seconds.

Sysdig’s Michael Clark describes the payloads as “self-narrating,” carrying “natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively.” The agent encrypted every Nacos config item with MySQL’s AES_ENCRYPT(), dropped the config_info and history tables, and left a README_RANSOM pointing to a Proton Mail address. The Bitcoin wallet in the note was the example string from public documentation. The key was generated, printed once, and never stored or exfiltrated. The victim can’t pay even if they want to.

“The skill floor for running ransomware has dropped to whatever it costs to run an agent,” Clark says. What’s structurally new isn’t the exploit chain; every CVE here’s old. It’s that the coordination layer, the part that used to require a human affiliate, is now a rentable inference bill.

Sources