2026 JADEPUFFER
AGENTIC_
RANSOM_
FIRST_CASE.
TL;DR: On July 1, 2026, cloud security firm Sysdig Threat Research Team (TRT) published the original technical report disclosing campaign JADEPUFFER—the first known end-to-end, fully LLM-driven complete ransomware operation. Attackers exploited a publicly exposed Langflow instance via CVE-2025-3248 (CVSS 9.8), then laterally moved to a production server running MySQL and Alibaba Nacos, executing 600+ distinct payloads within a compressed time window to complete reconnaissance, credential theft, persistence, configuration encryption, and database destruction. Sysdig classified it as a new Agentic Threat Actor (ATA). This article reconstructs the full attack chain from the original report, four lines of autonomy evidence, the Bitcoin address mystery, IOC inventory, official defense recommendations, industry reactions, and Mac node isolation guidance.
1. Pain Point Breakdown: AI Agent Infrastructure Is the New Attack Surface
If you run Langflow, OpenClaw, or ComfyUI agent workflows on a Mac or cloud host, three real-world risks map directly to JADEPUFFER:
- Public exposure + unpatched = 9.8 RCE entry point: Langflow has 70,000+ GitHub stars. Many teams expose orchestration services to the public internet for rapid validation. CVE-2025-3248 was disclosed in April 2025 and added to CISA's KEV (Known Exploited Vulnerabilities) catalog on May 5. EPSS exploitation probability stands at 91.42%.
- Environment variables hold API keys and cloud credentials: AI agent servers commonly store OpenAI, Anthropic, DeepSeek, Gemini, and Alibaba Cloud/Tencent Cloud/AWS credentials—the exact targets of JADEPUFFER Phase 1 parallel scans.
- Old vulnerabilities + AI automation = marginal cost near zero: Downstream targets exploited a 2021 Nacos auth bypass and never-rotated default JWT keys. Agents make "spray the entire historical vulnerability catalog" nearly free, and each intrusion may look slightly different.
2. Event Overview and Core Classification
| Dimension | Details |
|---|---|
| Discoverer | Sysdig Threat Research Team (TRT); report author Michael Clark (Director of Threat Research) |
| Publication date | July 1, 2026 (media follow-up July 2–6; public awareness peak around July 6) |
| Attacker codename | JADEPUFFER (Sysdig official all-caps naming) |
| Core classification | First known "end-to-end, fully LLM-driven" complete ransomware operation—reconnaissance, credential theft, lateral movement, persistence, and destructive encryption with no critical human-in-the-loop steps |
| New category | Agentic Threat Actor (ATA)—attack capability delivered by AI agents, not human-driven toolchains |
| Two-stage targets | Entry: public Langflow (CVE-2025-3248); actual target: public MySQL + Nacos production server |
| Scale | 600+ distinct, purpose-built payloads captured across multiple sessions over several weeks |
3. Timeline
| Date | Event |
|---|---|
| April 2025 | Langflow CVE-2025-3248 disclosed (unauthenticated code injection/RCE) |
| May 5, 2025 | Added to CISA KEV catalog |
| 2025 | Same vulnerability used to deliver Flodrix botnet (Trend Micro independent disclosure; unrelated to JADEPUFFER but shares entry vector) |
| June 2026 | JADEPUFFER attacks public Langflow instances; attack chain completed across multiple sessions over several weeks |
| July 1, 2026 | Sysdig publishes full technical report |
| July 2–6, 2026 | Dark Reading, BleepingComputer, CyberScoop, CSO Online, Security Affairs follow up |
4. CVE-2025-3248 Full Technical Analysis
4.1 Basic Information
| Field | Details |
|---|---|
| Component | Langflow — open-source visual AI agent workflow framework, 70,000+ GitHub stars |
| Vulnerability type | CWE-94 (code injection) + CWE-306 (missing authentication for critical function) |
| CVSS | 9.8 Critical — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected versions | All Langflow versions before 1.3.0 |
| Vulnerable endpoint | /api/v1/validate/code |
| Fixed version | 1.3.0 (authentication added) |
| EPSS | 91.42% (SentinelOne) |
4.2 Root Cause (Five-Step Breakdown)
- Langflow provides a code validation endpoint so users can check syntax when writing custom function nodes in the visual orchestrator.
- Implementation:
ast.parse()→compile()→exec(). - Critical flaw: No authentication and no sandbox isolation.
- Python decorators and function default arguments are evaluated at definition time—attackers embed malicious code in default parameters or decorators, achieving RCE during validation.
- Attackers need no login—a single crafted HTTP POST achieves arbitrary code execution.
4.3 Flodrix Botnet Comparison Payload (Trend Micro Forensics, Independent Campaign)
These commands sequentially confirm privileges → dump environment variables (potentially leaking API keys) → read root bash history → network reconnaissance → check SSH → check process capabilities. A 700-byte Bash script ultimately downloads the Flodrix ELF binary to build a DDoS botnet. Important distinction: Flodrix and JADEPUFFER are two independent campaigns sharing only the CVE-2025-3248 entry vector.
4.4 Official Patch (Langflow 1.3.0)
post_validate_code adds _current_user: CurrentActiveUser dependency injection: validates JWT Bearer Token or x-api-key; failures return 401/403 before reaching vulnerable logic.
5. Full Attack Chain Reconstruction (Sysdig Original Records)
5.1 Why Langflow Was Targeted
AI agent servers commonly store LLM API keys and cloud credentials in environment variables. Many teams deploy hastily without network access controls, exposing services directly to the public internet.
5.2 Phase 1: Compromise Langflow Host
All payloads were delivered as Base64-encoded Python through the RCE endpoint.
① Reconnaissance and credential collection (multi-threaded parallel): Execute id, uname -a, hostname; parallel scan for OpenAI/Anthropic/DeepSeek/Gemini API keys, Alibaba Cloud/Tencent Cloud/Huawei Cloud/AWS/GCP/Azure credentials, cryptocurrency wallets and seed phrases, database credentials.
② Local data exfiltration: Export credentials and API keys from Langflow's PostgreSQL backend database; stage locally for review then delete (trace cleanup).
③ Internal lateral discovery: Scan internal address space; default credential probing against databases, object storage, and secret vaults.
④ MinIO enumeration (key forensic evidence): Probe minio.internal:9000 and 127.0.0.1:9000; use default credentials minioadmin:minioadmin to fully enumerate buckets; prioritize extracting terraform-state bucket and credentials.json. Adaptive detail: first request used ?format=json but received XML—the next payload immediately switched to an XML parser. Classic probe-error-adapt loop.
⑤ Persistence: Install crontab beacon every 30 minutes:
5.3 Phase 2: Breach MySQL + Nacos Production Server
① Nacos multi-vector simultaneous attack: CVE-2021-29441 auth bypass, public default JWT signing key token forgery, backend backdoor admin injection via root database privileges.
Backdoor account injection 31-second fix loop (Sysdig timestamp precision):
| Time (UTC) | Action |
|---|---|
| 19:34:24 | Generate bcrypt hash, insert xadmin admin account |
| 19:34:36 | Login attempt with xadmin:Xploit@2026# fails |
| 19:34:48 | Parallel test of nacos:nacos default credentials + regenerate admin123 hash |
| 19:35:07 | Switch to import bcrypt direct generation; delete corrupted record and rebuild |
| 19:35:18 | Login succeeds—total elapsed 31 seconds |
② Container escape probing (~8 minutes): Use MySQL INTO OUTFILE / LOAD_FILE to test write, read-back, Docker socket, cgroup, UDF loading feasibility; actively write cleanup marker afterward—more like an agent signaling task completion before next phase than fixed script behavior.
③ Destructive encryption and ransom: Encrypt all 1,342 Nacos configuration entries with AES_ENCRYPT(); delete config_info and his_config_info; create ransom table README_RANSOM. Encryption key randomly generated via uuid4(), printed to stdout only, never stored—payment cannot recover data. Ransom note claims AES-256, but MySQL default is actually AES-128-ECB.
④ Large-scale destruction: DROP DATABASE by ROI priority; code comments claim "backed up to 64.20.53[.]230" (Sysdig found no independent evidence). When foreign key constraints cause deletion failure, next payload automatically adds SET GLOBAL FOREIGN_KEY_CHECKS=0—requires understanding failure cause, not blind retry.
6. Four Lines of Autonomy Evidence
- Self-narrating code: Payloads contain extensive natural-language comments explaining each step's rationale, including ROI sorting and database size judgment—default LLM code generation behavior, not post-hoc researcher inference.
- Machine-speed fault diagnosis and correction: Nacos backdoor 31-second fix, MinIO XML/JSON adaptation, JWT path blocked then immediate pivot—evidence lies in how fast and in what manner errors are corrected.
- Natural language context comprehension: Parsing free-text in target environments and taking actions only possible after reading context, recurring across sessions weeks apart.
- Bitcoin address mystery (see next section)—both interpretations remain plausible, illustrating new attribution uncertainty that AI autonomy introduces.
7. Bitcoin Address Mystery
Ransom note Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy is the standard P2SH example address repeatedly used in Bitcoin Core documentation, widely present in LLM training corpora. On-chain data: 737 historical transactions, cumulative ~46 BTC, current balance zero (each deposit immediately transferred out). Sysdig's two interpretations: (a) LLM "hallucination"—wallet belongs to a third party that sweeps mistaken deposits; (b) attacker's configured real wallet that coincidentally matches the example address. Researchers cannot see the system prompt—both possibilities currently remain unresolvable.
8. IOC (Indicators of Compromise) Summary
| Type | Indicator |
|---|---|
| C2 / Beacon | 45.131.66[.]106; crontab: hxxp://45.131.66[.]106:4444/beacon |
| Data staging/exfil | 64.20.53[.]230 (InterServer, AS19318) |
| Entry vulnerability | CVE-2025-3248 |
| Ransom Bitcoin | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy |
| Contact email | e78393397[@]proton[.]me (zero hits in threat intel databases; format differs from known MySQL ransom groups) |
| Ransom table name | README_RANSOM (does not match customary names like WARNING / RECOVER_YOUR_DATA) |
| Persistence | Crontab beacon to C2 port 4444 every 30 minutes |
Novel ransom email and table name with no prior precedent further supports a "brand-new agent-driven operation" rather than known ransomware group conventions.
9. Official Defense Recommendations (Sysdig Original Summary)
- Upgrade Langflow to a version patching CVE-2025-3248; never expose code execution/validation endpoints to the public internet.
- Deploy runtime threat detection to identify malicious behavior in database processes.
- Do not store LLM API keys or cloud credentials in AI orchestration server environment variables—use dedicated secret management services for isolation.
- Harden Nacos: rotate default
token.secret.key, upgrade to versions enforcing custom keys, never expose Nacos to the public internet, prohibit root database connections. - Prohibit public exposure of database admin accounts; enforce strong unique credentials and source IP restrictions on management ports.
- Egress control to block compromised hosts from arbitrary beacon outbound traffic.
- Monitor above IOCs; watch for scheduled task outbound requests and parenthesis-wrapped User-Agent anomalies.
10. Industry and Expert Reactions
BleepingComputer, Dark Reading, CyberScoop, and Security Affairs all called it the "first fully AI-driven ransomware attack," emphasizing the arrival of the ATA era. CSO Online interviewed red team expert Vibhum Dubey, who framed it as "execution evolution" rather than novel ransomware technique—the real concern is the quiet period before encryption, when agents map identity systems and trust chains; blocked paths trigger rapid tactical pivots, and each intrusion may look slightly different. Multiple outlets cited LLMjacking: if attackers drive agents with stolen credentials, marginal cost of complex multi-stage attacks approaches zero.
11. Sysdig Conclusions and Significance (Four Judgments)
- Ransomware no longer requires deep expertise: LLM agents can chain reconnaissance to destruction; operators need not possess advanced technical knowledge.
- Old vulnerabilities weaponized by automation: 2021 Nacos flaws + default JWT keys—agents make "spray the historical vulnerability catalog" cost near zero.
- Intent becomes "readable"—a defender opportunity: LLMs narrate objectives inside payloads, providing detection hooks previously unavailable.
- "Already backed up" is attacker self-report only: encryption keys are ephemerally generated and unrecoverable; payment cannot restore data.
Report closing thesis: JADEPUFFER is a warning signal—each individual technique is neither new nor complex. What matters is AI models chaining techniques into a complete ransomware operation targeting neglected public infrastructure. The skill barrier for running ransomware has dropped to "the cost of running an agent"; if the agent itself is credential-driven (LLMjacking), attacker marginal cost approaches zero. Defenders should expect rising volume and breadth of such attacks.
12. AI Orchestration Infrastructure Decision Matrix
| Deployment Model | Exposure Risk | Credential Isolation | Best Fit | JADEPUFFER-Related Risk |
|---|---|---|---|---|
| Local Mac bare-metal Langflow with public port mapping | Very high | Poor (.env plaintext) | Local demo only | Typical entry host target |
| Cloud VPS public + unpatched Langflow | Very high | Poor | Not recommended | Matches this incident's entry vector |
| Internal Langflow + secret management service | Medium | Good | Small team production | Requires egress control |
| Isolated remote Mac node + SSH tunnel | Low | Good | Agent development/testing | Entry not public; snapshot rollback available |
13. Five-Step Defense and Isolation Runbook
- Patch immediately: Upgrade Langflow to ≥1.3.0; scan public internet for reachable
/api/v1/validate/codeinstances (Shodan/Censys). - Remove public exposure: Langflow, Nacos, MySQL management ports internal-only or VPN/Tailscale; code validation endpoints never public.
- Credentials out of environment variables: Migrate API keys to Vault/1Password Connect/cloud Secrets Manager; orchestration servers mount short-lived tokens only.
- Harden Nacos: Rotate default JWT key, disable root database connections, enable authentication; audit against CVE-2021-29441 family.
- Runtime detection + IOC monitoring: Deploy Falco/Sysdig-class detection; alert on crontab outbound connections, anomalous MySQL
INTO OUTFILE,README_RANSOMtable creation; hunt against IOCs above.
14. Deep Case Study: Architecture Choices for Mac Developers in the ATA Era
JADEPUFFER reveals a paradigm shift in progress: attackers no longer need people who can write exploits—they need people who can configure agents. For developers running Langflow, OpenClaw, or MLX local inference on Mac, "my dev machine" and "my agent production environment" must be physically or logically isolated.
In this incident, the Langflow entry host became a pivot because of (1) public reachability, (2) environment variables rich with API keys, and (3) same network segment as internal MinIO/terraform-state. Many indie developers run Langflow prototypes and real API key tests simultaneously on a Mac mini—the exact "hasty deployment" pattern JADEPUFFER exploited.
A deeper economic signal comes from LLMjacking: attackers steal your OpenAI/Anthropic credentials, use stolen APIs to drive agents for the next attack, forming a "steal credentials → run agent → steal more credentials" positive feedback loop. If your Mac stores API keys and exposes agent management ports, it is both victim and ammunition for the next attacker.
Compared to Windows/Linux cloud hosts: they can run Langflow, but fall short for Xcode toolchain, Cursor/Claude Code collaboration, and Apple Silicon MLX local inference workflows. The key is not "switch platforms" but layer agent experiments separately from real credentials/production data—use an isolated Mac without production secrets or public port mapping for orchestration prototypes, access via SSH tunnel, snapshot and rollback on compromise without polluting your primary machine.
15. References
- Sysdig, "JADEPUFFER: Agentic ransomware for automated database extortion" (original technical report, sysdig.com/blog)
- BleepingComputer, "JadePuffer ransomware used AI agent to automate entire attack"
- Dark Reading, "JadePuffer: The First Complete LLM-Driven Ransomware Attack"
- CyberScoop, "Sysdig clocks first documented case of agentic ransomware"
- CSO Online, "This AI agent autonomously hacked a network..." (includes Vibhum Dubey commentary)
- Security Affairs, "JADEPUFFER: First End-to-End AI-Driven Ransomware Operation"
- Trend Micro, "Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet"
- NVD / SentinelOne / Zscaler — CVE-2025-3248 independent analysis; CISA KEV catalog
16. Closing: Do Not Run Agent Development Bare-Metal Locally—Isolated Mac Nodes Are the Safer Choice
JADEPUFFER proves that publicly exposed AI orchestration services + API keys in environment variables is among the highest-risk combinations in 2026. Windows/Linux cloud hosts can run Langflow, but offer less control than Apple Silicon Mac for terminal AI toolchain collaboration, MLX local inference, and snapshot rollback. If you need to validate Langflow/OpenClaw agent workflows in an isolated environment without pooling local API keys with production data, consider a MACGPU remote Mac mini M4 node: no public port mapping, on-demand start/stop, snapshot rebuild on compromise—turning "ATA era" risk into a manageable architecture decision rather than passively waiting for the next 9.8 CVSS vulnerability.