Sysdig Flags 'JADEPUFFER' as First End-to-End AI-Run Ransomware Attack
Researchers say a large language model handled intrusion, lateral movement and destruction of a production database without a human at the keyboard.

A security vendor says it has caught what may be the first ransomware intrusion executed end-to-end by an AI agent, with no human operator driving the keyboard once the campaign began.
Sysdig's Threat Research Team is calling the operator JADEPUFFER. The firm says a large language model handled the full attack chain: initial access, credential theft, lateral movement, and finally the encryption and wiping of a victim's production database.
That is a departure from how ransomware normally runs.
Most intrusions still involve a human affiliate working under a Ransomware-as-a-Service brand — LockBit-style crews, Akira, Play, Qilin — where the affiliate buys or brokers access, then hand-drives tools like Cobalt Strike or Rclone through the environment. Automation exists, but the operator is usually watching.
In the JADEPUFFER case, according to Sysdig's writeup, the LLM was the operator.
The initial foothold came through a vulnerable instance of Langflow, the open-source framework for building LLM workflows. That software was hit earlier this year by CVE-2025-3248, a critical unauthenticated remote code execution flaw in its API that CISA added to its Known Exploited Vulnerabilities catalog in May. Exposed Langflow servers have been a soft target ever since.
Once inside, the agent enumerated the environment, harvested credentials and pivoted toward the database tier. Sysdig says it then encrypted the production database and wiped backing data — a destructive endgame more typical of wiper crews than of a disciplined RaaS affiliate looking to negotiate.
The researchers have not publicly named the victim, the sector, or the ransom demand. It is also unclear whether any payment was made, or whether a payment channel was set up at all. That ambiguity matters: an AI-driven intruder that destroys data before extortion is monetised is closer to sabotage than to a business model.
Attribution is the other open question.
Sysdig frames JADEPUFFER as an operator rather than a known crew rebranding. Whether a human threat actor scripted the agent and walked away, or whether the LLM was handed a broader objective and improvised, the firm does not say in detail. Prior agentic-attack demonstrations from vendors like Anthropic and from academic teams have shown LLMs can chain reconnaissance and exploitation steps; production incidents matching that pattern have been rarer.
For defenders, the practical takeaway is narrower than the headline. Patch or pull exposed Langflow. Watch for the Langflow RCE indicators already published. Assume anything reachable that hosts an LLM runtime is now a first-class target, not a science project.
Threat Vectr has asked Sysdig for the ransom figure and victim jurisdiction and will update if the firm confirms either.



