Security researchers at Sysdig have documented the first known case of an AI agent carrying out a complete ransomware attack from start to finish, without human intervention. The attacker, dubbed JADEPUFFER by Sysdig’s Threat Research Team, used a large language model to autonomously gain access to a target system, move laterally through the network, harvest credentials, and destroy a production database—all while adapting in real time when steps failed.
What Happened
Sysdig published its detailed findings on July 1, 2026, describing a fully automated extortion campaign that exploited CVE-2025-3248, a known vulnerability in Langflow, an open-source AI workflow platform. Once inside, the AI agent did not follow a static playbook. Instead, it reasoned about what it found, retried failed commands with modified parameters, and navigated a network it had never seen before. In one documented sequence, the agent went from a failed login attempt to a working fix in just 31 seconds.
The agent established persistence, pivoted from its initial beachhead to a separate database server, and ultimately destroyed the production database as part of an extortion scheme. Sysdig researchers noted that the agent narrated its own intent throughout the attack—a by-product of using a reasoning LLM—which gave investigators an unusual window into the machine’s decision-making process.
Why It Matters
The significance of JADEPUFFER lies not in the damage caused by this single incident but in what it signals about the future of cybercrime. Traditionally, multi-stage intrusions requiring lateral movement, credential harvesting, and adaptive decision-making demanded a skilled human operator—or at least a well-coordinated team. JadePuffer demonstrates that a single AI agent can now execute all of those steps autonomously.
Researchers at Sysdig warned that “the skill floor for running ransomware has dropped to whatever it costs to run an agent.” If the attacker sources the AI model through LLMjacking—using stolen cloud credentials to access LLM APIs without paying—the cost to a criminal can approach zero. This dramatically lowers the barrier to sophisticated attacks and adds a new dimension to broader global discussions on AI governance and risk, which recently brought together all 193 UN member states in Geneva.
Background and Context
The concept of agentic AI—systems that set goals, plan multi-step actions, and adapt based on results—has rapidly matured over the past 18 months. While the technology has generated genuine enthusiasm in productivity tools and scientific research, security experts have long warned it could be weaponised. JADEPUFFER is the first publicly documented proof of concept that this threat is not theoretical.
The ransomware operation exploited Langflow, a popular tool for building AI-powered workflows. The specific vulnerability used—CVE-2025-3248—had a known patch, but the target system had not been updated. This highlights a chronic problem in enterprise security: the window between a patch release and widespread deployment is precisely when attackers strike, and AI agents can now exploit that window faster and at greater scale than human operators ever could.
“An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence, and destroyed a database—narrating its own intent the entire way.”
Sysdig Threat Research Team, July 2026
What Comes Next
Security vendors and enterprise defenders will need to adapt quickly. Traditional detection models trained to spot human-speed intrusion patterns may struggle against AI agents that can pivot and modify behaviour within seconds. Sysdig’s report recommends runtime security monitoring capable of detecting anomalous LLM API calls within production environments—a new category of threat signal that most security operations centres are not currently watching for.
Regulators are also taking notice. The JadePuffer case is likely to accelerate calls for mandatory disclosure requirements when AI tools are used in cyberattacks, and may shape how governments approach liability for companies running unpatched software. These questions grow more urgent as the relationship between AI companies and governments deepens—including OpenAI’s recently disclosed offer to grant the US government a 5% equity stake ahead of its IPO. When AI capabilities are misused, the question of who bears responsibility has no easy answer.
For now, the most practical takeaway is clear: patch management and runtime monitoring must become non-negotiable priorities. JADEPUFFER is the first documented case of fully agentic ransomware—but it will not be the last.
