Security firm Sysdig reports what it says is the first documented ransomware operation carried out end to end by an AI agent. Sysdig’s Threat Research team describes an operator it calls “JadePuffer” that uses a large language model to perform a full sequence of actions: gaining initial access, collecting credentials, moving through a network, compromising a production database, and then encrypting and destroying data. According to Sysdig, the agent begins by exploiting an internet-facing Langflow instance using CVE-2025-3248, which is described as enabling remote, unauthenticated arbitrary Python execution on the host. After access, the agent scans for and exfiltrates secrets, including LLM provider API keys and cloud credentials, and also searches for database credentials and other assets.

Sysdig says the agent establishes persistence by installing a crontab entry on the Langflow server and periodically contacting the attacker infrastructure. The reported target includes a separate internet-exposed production server running MySQL and Alibaba’s Nacos configuration service. The AI then attacks Nacos using multiple issues, including CVE-2021-29441 and a JWT approach involving a default signing key, while using MySQL access to modify Nacos’s backing database and encrypt configuration items. Sysdig states the encrypted data cannot be recovered, even if a ransom is paid, because the operation escalates beyond row-level deletion.