JadePuffer: Anatomy of the First Autonomous Agentic Ransomware Campaign
Open Until: 08/08/2026
On July 1, 2026, Sysdig's Threat Research Team published its analysis of an intrusion it named JadePuffer, which the team assesses to be the first publicly documented ransomware operation in which reconnaissance, credential harvesting, lateral movement, persistence, and destructive encryption were performed by an autonomous large language model agent rather than by a human operator [1]. The attacker exploited an unauthenticated remote code execution flaw in a public-facing Langflow instance (CVE-2025-3248), harvested cloud and AI-provider credentials from the compromised host, pivoted through weakly protected object storage, and destroyed a production Alibaba Nacos configuration store by encrypting 1,342 configuration items and dropping the underlying tables, leaving behind a ransom note whose decryption key was never persisted or transmitted [1][2]. The Sysdig disclosure has been corroborated in reporting from Bleeping Computer, Security Affairs, The Register, The Hacker News, and the OECD.AI incident database [2][3][4][5][6]. The Cloud Security Alliance treats the case as a threshold event: the tradecraft is not new, but the operator is. The distinguishing forensic signature of the operation was not what the intruder did but how the intruder communicated with itself. Sysdig's investigators recovered more than six hundred payloads whose contents were saturated with plain-language commentary explaining the intent behind each action — the kind of running narration a human attacker rarely produces but a language model generates reflexively [1][2]. When an administrative login attempt failed, the agent diagnosed the cause, produced a working correction, and re-executed within thirty-one seconds; when a target service returned XML rather than the expected JSON, the agent immediately rewrote its parser [1]. It was the operationally significant capability of an agent executing the individual steps of an established playbook without human supervision at the tactical level
Key Takeaways
- On July 1, 2026, Sysdig's Threat Research Team published its analysis of an intrusion it named JadePuffer, which the team assesses to be the first publicly documented ransomware operation in which reconnaissance, credential harvesting, lateral movement, persistence, and destructive encryption were performed by an autonomous large language model agent rather than by a human operator [1]. The attacker exploited an unauthenticated remote code execution flaw in a public-facing Langflow instance (CVE-2025-3248), harvested cloud and AI-provider credentials from the compromised host, pivoted through
Contribute to Peer Review
Premier AI Safety Ambassadors

Premier AI Safety Ambassadors play a leading role in promoting AI safety within their organization, advocating for responsible AI practices and promoting pragmatic solutions to manage AI risks. Learn more about how your organization could participate and take a seat at the forefront of AI safety best practices.



