Somebody pointed an AI agent at a company's network and let it go. It broke in, poked around, stole credentials, encrypted the data, and left a ransom note. Nobody was at the keyboard.
Security firm Sysdig's threat research team published what it says is the first documented case of agentic ransomware in the wild, a campaign it's calling JADEPUFFER. The attacker got in through a known bug in Langflow, a popular tool developers use to build AI apps, and then the rest of the intrusion chain was driven end-to-end by an AI agent powered by an LLM.
The agent ran more than 600 individual payloads inside the compromised environment. It swept for API keys across multiple cloud providers. It probed internal storage buckets and pulled config files. When one enumeration attempt came back in XML instead of the JSON it expected, the agent noticed on its own, rewrote its parser, and tried again.
The clearest sign a human wasn't driving came in a 31-second window. The agent tried to insert a rogue admin user into Alibaba's Nacos platform, the attempt failed, and rather than freeze, it simultaneously tested default credentials and generated a fresh password hash to diagnose why. Fifteen lines of coordinated code, half a minute, no supervision. By the end of the attack, it had encrypted 1,342 configuration files and left a Bitcoin address behind.
How it got in is the second half of the story. The Langflow flaw, CVE-2025-3248, lets an attacker run code remotely on any exposed instance, and Trend Micro has been tracking it in the wild since summer. CISA later added it to its list of known exploited vulnerabilities. Around 7,000 Langflow servers are still sitting on the public internet, which is to say the on-ramp for this kind of attack is not exotic.
There's one twist that arguably makes JADEPUFFER worse than a normal ransomware incident. The encryption key the agent used was randomly generated, printed once to a terminal, and never saved or transmitted anywhere. Even if the victim paid, the data would still be unrecoverable. The ransom note also claims AES-256 encryption when the agent actually used the weaker default AES-128, and Sysdig couldn't find evidence that the data exfiltration the note threatens ever actually happened. The Bitcoin address and contact email don't match any known ransomware operation on file, raising the awkward possibility that the LLM hallucinated most of its own extortion scheme.
Not everyone views this as a paradigm shift. Vibhum Dubey, an independent red teamer, called it "an evolution in execution [rather] than a completely new ransomware technique," telling CSO Online that attackers have been automating reconnaissance and credential theft for years. What's actually new, he said, is that an AI can improvise around blocked paths, so no two intrusions end up looking quite the same, which breaks a lot of detection tooling that assumes attackers follow predictable patterns.
Governments seem to think the timeline is compressing. A joint statement from the Five Eyes cyber agencies, which is the NSA, CISA, and their UK, Canadian, Australian, and New Zealand counterparts, put it plainly last week: "AI is not a future consideration, it is already here." They warned that the gap between a vulnerability being disclosed and being exploited is shrinking, and that boards should stop treating cyber as a purely technical problem.

The interesting part of JADEPUFFER isn't the ransomware. It's everything the agent didn't need. It didn't need someone to tell it what to try when the first login failed. It didn't need a person to notice that XML wasn't JSON. Whoever set this thing loose pointed it at a target and walked away, and it improvised its way through the rest. That's the actual shift here, and it's the same pattern that keeps showing up: the capabilities are shipping much faster than the controls that would keep them in check. This time, the control that failed was a Langflow server nobody remembered was still online.
