Press TechRound interviews Secure.com CEO on the future of AI security
Read

Meet JadePuffer, the First LLM That Extorted a Real Company

Sysdig found JadePuffer, the first real ransomware attack run start to finish by an AI model. No human hacker wrote the steps.

Dateline: July 7, 2026

The First Ransomware Attack Run Entirely by an AI Is Here

For years, security folks warned this day would come. Now it has. Researchers at Sysdig say they found the first real ransomware attack run from start to finish by an AI model, with no human writing the steps. They call the attacker JadePuffer.

What Happened? 

JadePuffer broke into an internet-facing Langflow server. Langflow is an open source tool people use to build AI apps. The way in was CVE-2025-3248, a critical flaw that lets anyone run code on the machine without logging in.

From there the AI worked its way toward the real prize: a separate internet-exposed server running a MySQL database and an Alibaba Nacos config service. It listed the database contents, pulled out selected data, wiped the database, and left a note demanding payment to get the stolen files back.

Every payload came in as Base64-encoded Python pushed through the Langflow flaw. The first machine it hijacked became the launch pad for hitting the final target.

What’s the Impact? 

None of these moves were new. Sysdig and outside experts agree on that. Exploiting an exposed service, stealing credentials, moving sideways, abusing default settings, and destroying databases are all standard playbook stuff. Johan Edholm of Detectify called it more evolution than invention.

The shift is who strung it all together. An AI model chained recon, credential theft, lateral movement, persistence, and destruction into one clean operation. Normally that mix points to a skilled human. Now it points to a capable model.

Two details gave the AI away. 

  • First, its own code was self-narrating, packed with plain-English reasoning and target notes that human hackers rarely bother to write but AI produces by habit. 
  • Second, it fixed its own mistakes at machine speed. When one login failed, JadePuffer refined its approach and got in. That correction took 31 seconds.

Worth noting: back in August, researchers thought they had found the first AI-driven ransomware, called PromptLock. It turned out to be a lab proof of concept from NYU, not a real attack. JadePuffer looks like the genuine article.

The bigger worry is spread. Edholm expects early adopters to be crews who already know how to wire AI models to offensive tools and stolen credentials. Once that tooling gets packaged and reusable, weaker operators will pick it up too. Criminal groups move fast because no procurement or compliance slows them down.

How to Avoid This Sysdig and the experts point to a clear set of steps:

  • Patch Langflow to a version that fixes CVE-2025-3248, and keep code-execution endpoints off the public internet.
  • Do not link provider API keys or cloud credentials to the AI-orchestration server they run on. Keep secrets in a proper manager.
  • Harden Nacos by changing default signing keys and keeping it off the internet.
  • Lock down internet-facing databases with strong passwords and IP restrictions on management ports.
  • Move from quarterly snapshots to continuous visibility. An automated attacker can go from discovery to impact in minutes, so gaps between scans are dangerous.

How Secure.com Would Have Stopped JadePuffer Before the Ransom Note

Here is the part that stings. Secure.com would have found the internet-facing Langflow server, the CVE, and the open MySQL database before JadePuffer ever touched them. The break-in started with an exposed asset that a continuous exposure scan flags on day one. The attacker only won because nobody was looking on the days between scans.

Walk the attack back one stage at a time and you can see where it breaks.

JadePuffer Incident Teardown | Secure.com

incident teardown  /  ai-orchestrated ransomware

An AI ran the entire ransomware attack. No human wrote the steps.

Sysdig’s teardown of JadePuffer — the first real ransomware campaign orchestrated end-to-end by an LLM. Initial access came through CVE-2025-3248, a critical RCE in an internet-exposed Langflow server. Every payload was Base64-encoded, self-narrating Python.

31s
for the model to fix a failed login and get back in — error-correcting at machine speed.
recon → extortion · fully autonomous
recon RCE · langflow lateral move enumerate exfiltrate destroy db extort the kill chain
What JadePuffer did
Where Secure.com surfaces it
01Exploited an internet-exposed Langflow server via CVE-2025-3248 to run code remotely.
The public-facing asset is inventoried (publicly_accessible) and the CVE correlated against KEV / EPSS — a publicly-exposed asset with known exploits, flagged before the breach.cspm · pre-breach
02Pivoted to an open MySQL database with management ports exposed to the internet.
A CSPM public-exposure check fires: MySQL 3306 open to 0.0.0.0/0 is high; publicly-reachable database access is critical.cspm misconfig
03Stole credentials — a failed login it corrected and retried 31 seconds later.
Brute-force / failed-login detections (GuardDuty, Defender, CloudTrail) ingest via SIEM → deduplicate → enrich → open a SOC case + ticket.detection · soc
04Moved laterally to the internal MySQL / Nacos services, then enumerated and exfiltrated.
The movement is correlated into an attack-path graph — public, exploitable entry → reachable neighbors, VPC-scoped — with the blast radius sized.attack path
05— the loop that never stops: new tradecraft, at machine speed —
A purple-team loop maps red-team actions to MITRE ATT&CK and scores blue-team detection coverage — turning each gap into a detection.on the roadmap

This is the whole case for continuous over quarterly. A snapshot every three months leaves a hole an attacker can drive through for weeks. Continuous CTEM, adversarial exposure validation, and the Purple loop close that hole because they never stop looking. That is the difference between reading about a breach and preventing one.

Read More

  • You can read how continuous threat exposure management works here
  • And how we map real attacks to MITRE ATT&CK here