Digital Blog
Cybersecurity

Agentic ransomware: JadePuffer hit Langflow, says Sysdig

Agentic ransomware entered a live intrusion, Sysdig says, after JadePuffer exploited a Langflow flaw to steal credentials and extort databases.

By Reza Khalil3 min read
Illustration of ransomware code and cybersecurity warning graphics

Sysdig says a ransomware campaign it calls JadePuffer used an AI agent inside a live intrusion after exploiting the Langflow CVE-2025-3248 flaw, in what the company describes as the first documented case of agentic ransomware in the wild. The attacker moved from initial access on the open-source LLM application framework to credential theft, lateral movement and database extortion, Sysdig said, with the model-driven workflow doing more than sitting at the edge of the operation.

The claim is narrower, and more useful, than a warning that ransomware gangs have suddenly gone autonomous. Sysdig describes a traceable intrusion chain in which an LLM-generated agent handled parts of the workflow quickly enough to turn an exposed AI-development tool into a route towards operational data. The named flaw, framework and attack path give defenders something firmer to work from than another broad argument about whether AI might help attackers one day.

According to Sysdig, the attacker exploited Langflow’s unauthenticated remote-code-execution flaw, then kept access on the compromised host through a cron job set to beacon every 30 minutes. The intruder then harvested credentials, found access into a MySQL and Nacos environment, and encrypted 1,342 configuration items before deleting the originals. The extortion point, in other words, sat in the data layer, not just on an endpoint.

One agent sequence took 31 seconds to recover from a failed login and produce a working fix, Sysdig said. That is the sharper part of the report: attackers have scripted individual tasks for years, but an LLM-driven workflow can adjust quickly when one step breaks. Michael Clark, Sysdig’s director of threat research, told CyberScoop that JadePuffer should be read as an acceleration of known tradecraft rather than a clean break with it.

“We have seen attackers script attacks for years, and we have seen AI speed up individual steps of attack chains”
Michael Clark, CyberScoop

Why this matters for defenders

For defenders, the practical lesson is less dramatic than the phrase “agentic ransomware” suggests. The first control remains the front door: do not leave internet-facing AI workflow tools unpatched or loosely exposed. In Sysdig’s account, JadePuffer needed one exposed service, one remote-code-execution flaw, enough credential access to pivot, and a target environment where configuration data could be encrypted for leverage. The playbook is familiar. The compression is the change.

The reporting also sets a useful limit. CyberScoop’s follow-up makes clear the case was not an entirely human-free operation, and Sysdig framed it as a warning sign rather than proof that ransomware crews no longer need operators. Overstating the episode as autonomous cyberwarfare would blur the conclusion security teams can act on: AI tools can shorten reconnaissance, troubleshooting and post-exploitation steps inside a conventional intrusion.

For Australian organisations experimenting with internal AI orchestration layers, Langflow-style developer tooling now belongs in the same risk conversation as exposed admin panels, CI/CD services and database consoles. Patch discipline, credential controls and network segmentation are hardly new. JadePuffer ties those basics to a live attack narrative at the moment many companies are pushing LLM frameworks into production without treating them as high-value infrastructure.

Sysdig’s report does not settle whether agentic ransomware will become a standard operating model. It does put a name and a traceable intrusion path around a shift defenders have been expecting: AI is starting to help attackers operate faster inside the same environments enterprises are wiring up for their own automation.

JadePufferLangflowMichael ClarkSysdig
Reza Khalil

Reza Khalil

Cybersecurity reporter covering breaches, threat intel, and the ACSC beat. Former incident responder. Reports from Canberra.

Related