a daily news desk
Deployments

JadePuffer: LLM agent ran a ransomware op end-to-end — but a human still picked the target

Sysdig documented 600+ self-narrating payloads and a 31-second failure-to-fix loop against a Langflow-to-Nacos intrusion. The operator still stood up the C2 and chose the victim.

Sysdig’s threat researchers say a late-June 2026 intrusion they’re tracking as JadePuffer is the first documented ransomware operation run end-to-end by an LLM agent, from initial access through extortion note. The catch, buried a few paragraphs into their write-up, is that a human still provisioned the command-and-control server, stood up staging, and picked the victim.

Entry was through CVE-2025-3248, the CVSS 9.8 unauthenticated RCE in Langflow’s code-validation endpoint. From there the agent installed a cron job that beaconed home every 30 minutes and pivoted to a production MySQL host running Alibaba Nacos. Sysdig couldn’t determine where the root credentials came from. Once on the Nacos box, the agent tried three routes at once: the 2021 auth bypass CVE-2021-29441, JWT forging with the default key, and rogue admin injection straight into the backing database.

The behavioral signal is the interesting part. Sysdig counted 600+ distinct payloads in a compressed window, most of them self-narrating in plain language as they ran. When bcrypt hash generation failed, the agent recovered in 31 seconds. “The agent read the error, switched its approach from subprocess calls to direct library imports, and redeployed at a speed no human matches,” said Michael Clark, a researcher at Sysdig.

The endgame was database extortion by way of MySQL AES_ENCRYPT() applied to 1,342 Nacos configuration items, with the original config_info and history tables dropped. A README_RANSOM table carried a Bitcoin address and a Proton Mail contact. The AES key was generated randomly, printed once, and never stored. Payment wouldn’t have restored anything.

Sysdig can’t identify the model. Harvested OpenAI, Anthropic, DeepSeek, and Gemini keys were loot, not attribution. Clark’s other line is the one that’ll echo: “The skill floor for running a full ransomware operation just dropped to whatever it costs to run an agent.”

The residual human work, target selection and infrastructure, is precisely what law enforcement has spent a decade learning to trace.

Sources