Cybersecurity Researchers Identify First Fully Self-governing AI-Driven Ransomware Attack

  • By John K. Waters
  • 07/14/26

Danger scientists at cloud security firm Sysdig have revealed what they describe as the very first recorded ransomware operation carried out end-to-end by a self-governing AI agent, without any human typing commands or directing individual actions once the attack was underway. The company named the hazard actor JADEPUFFER and published its technical analysis between July 4 and July 6.

According to Sysdig, JADEPUFFER acquired preliminary gain access to through an internet-facing instance of Langflow, an open source framework that developers utilize to construct AI applications and agent workflows. The entry point was CVE-2025-3248, a missing-authentication flaw that permits an unauthenticated assaulter to run approximate Python code on the host. The vendor patched the defect in Langflow 1.3.0, and the Cybersecurity and Infrastructure Security Company (CISA) added it to its Known Exploited Vulnerabilities list in Might 2025, indicating the vulnerability itself was neither new nor secret at the time of the attack.

When inside, the representative identified the host and swept the environment for secrets throughout several categories simultaneously, consisting of application programming user interface keys for OpenAI, Anthropic, DeepSeek, and Google; cloud credentials covering Amazon Web Services, Google Cloud, Microsoft Azure, and several Chinese suppliers; cryptocurrency wallet seed phrases; and database credentials. It dumped Langflow’s backing Postgres database, found a MinIO item storage service still keeping up its factory-default qualifications, and set up a crontab entry that beaconed to the assaulter’s infrastructure every 30 minutes to keep persistence. From there, it used collected credentials to reach a separate, internet-exposed production server running MySQL and Alibaba’s Nacos configuration platform, making use of a 2021 authentication bypass and forging a token with a default signing secret openly known given that 2020.

The most noteworthy proof of self-governing operation, according to Sysdig, came when an early attempt to insert a backdoor administrator account into Nacos failed a login check. Thirty-one seconds later on, with no human intervention, the agent diagnosed the cause as a subprocess path issue that prevented the password hash from being created properly, changed its technique, and completed the task. The agent went on to secure 1,342 Nacos setup records and leave a ransom note. Sysdig stated it could not determine which underlying AI design powered the agent, and that the payloads consisted of natural language thinking and self-narration normal of big language design output instead of a fixed, pre-scripted toolkit.

By admin