An AI Agent Broke Into a Server, Taught Itself to Adapt, and Left a Ransom Note
Security firm Sysdig says it has documented the first fully autonomous AI-driven ransomware attack, where a program called JadePuffer broke into a database, encrypted thousands of records, and demanded Bitcoin payment without a human criminal directing any step.

Key points
- Sysdig researchers published findings in 2025 describing what they call the first documented end-to-end ransomware attack driven entirely by an AI agent.
- The AI program, named JadePuffer, exploited CVE-2025-3248, a flaw in Langflow (a tool for building AI-powered applications) that lets attackers run any code they like on an exposed server.
- JadePuffer encrypted 1,342 configuration records stored in a database, deleted the originals, and left behind a Bitcoin ransom demand.
- The agent recovered from a failed attempt to create an administrator account in just 31 seconds, without any human stepping in.
- Independent experts say the attack marks an evolution in how ransomware works, not the invention of a brand-new threat.
A software tool called Langflow had a known security hole. Security researchers at Sysdig watched an AI agent walk straight through it.
The flaw is tracked as CVE-2025-3248. It is a remote code execution vulnerability, meaning anyone who finds an unpatched, internet-facing Langflow server can send it instructions and the server will obey. JadePuffer, the name Sysdig gave the AI agent, used that hole as its front door.
How did the AI actually carry out the attack?
Once inside, JadePuffer did not wait for orders. It scanned the internal network, harvested stored passwords and login tokens, moved to a second production server running MySQL (a popular database program) and Alibaba's Nacos (a platform that stores configuration settings for applications), then encrypted 1,342 Nacos records. It wiped the originals and left a Bitcoin ransom note behind.
Every instruction the agent sent arrived as a small Python script, hidden inside Base64 encoding, which is a way of disguising data as plain text to slip past basic filters. Sysdig counted more than 600 such payloads across the operation.
What caught researchers' attention was the code itself. Each script contained written-out reasoning, almost like notes to itself, explaining what it was trying to do and why. That self-narrating style is a hallmark of code written by large language models, the same technology behind AI chat tools.
When one step failed, the agent diagnosed the problem and generated a corrected script. It recovered from a failed admin-account creation in 31 seconds.
"Attackers have automated reconnaissance, credential theft, and deployment for years," independent security researcher Vibhum Dubey told CSO Online. "The difference is that an AI agent can connect those stages together and make decisions without waiting for a human operator."
Dubey's bigger concern is not the final encryption stage but the quiet period before it, when the agent maps accounts, permissions, and trust relationships while trying to avoid triggering alarms.
Prashant Sharma, a cybersecurity consultant at Cyble, agrees the attack is an evolution rather than a revolution. Existing security platforms, he notes, are built to flag suspicious behaviour regardless of whether a human or an algorithm is behind it.
For ordinary people, the immediate lesson is narrow but important. If your employer runs software that stores credentials or configuration data, and that software is reachable from the internet, a patch left uninstalled is an open invitation. Ransomware does not need a criminal sitting at a keyboard anymore.
Check with your IT team that your organisation applies security patches quickly. If you receive any unexpected emails asking you to reset passwords or confirm account details in the days after a breach, treat them as suspicious.



