Report of the first-ever 'agent-type ransomware' infection.



An AI agent capable of automatically executing the entire ransomware attack has been discovered. It was observed not only infiltrating servers and destroying data, but also correcting failed steps in real time and re-attempting the attack.

JADEPUFFER: Agentic ransomware for automated database extortion | Sysdig

https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion



Smooth AI criminal drives 'first' end-to-end agentic ransomware attack

https://www.theregister.com/security/2026/07/02/smooth-ai-criminal-drives-first-end-to-end-agentic-ransomware-attack/5266073

Security firm Sysdig has reported confirming instances where ransomware attacks were carried out not by humans, but by AI agents, and has named this agent 'JadePuffer' and shared its attack methods.

JadePuffer exploited a known vulnerability , CVE-2025-3248, in an instance of the open-source AI development tool Langflow , allowing an unauthenticated attacker to execute arbitrary code. They then began scanning running processes and collecting information such as LLM provider API keys, cryptocurrency wallets, and database credentials.

JadePuffer's true target was another internet-exposed production server running a MySQL database and Alibaba's infrastructure management service, Nacos . JadePuffer connected to the server's public MySQL port using root credentials, but it is unknown where these credentials were obtained.

Subsequently, JadePuffer attacked Nacos using multiple methods, including exploiting an authorization bypass vulnerability ( CVE-2021-29441 ) and forging valid tokens using Nacos's default signing key. Furthermore, he added a backdoor administrator account to the Nacos backend database using root database privileges.

Ultimately, JadePuffer used MySQL's built-in encryption feature to encrypt all 1342 Nacos service configuration items and created a ransom email. The email contained a threatening message stating, 'Your data has been encrypted,' along with a Bitcoin address to which the ransom should be paid.



Sysdig notes that there is some evidence to suggest that JadePuffer is an AI agent.

One issue was the large number of annotations attached to the code. Such annotations are unique to AI, and Sysdig pointed out that 'a human wouldn't add annotations to disposable code used for hacking.'

Another interesting aspect was how the system behaved when an attack failed. After their initial attack failed, JadePuffer reportedly devised an improved version of their method in just over ten seconds and launched another attack. In one sequence, it took only 31 seconds from a failed login attempt to re-entering the system.

Sysdig advises users to update to a version that fixes CVE-2025-3248 and to refrain from exposing code execution or verification endpoints to the internet. It also warns that paying the ransom would be pointless because JadePuffer deleted the encrypted data without making any backups.

Sysdig commented, 'While the techniques used by the AI agent in this attack were not particularly sophisticated or original, the fact that the AI was able to piece them together to create a ransomware attack is noteworthy. The skill barrier required to execute ransomware has been reduced to the cost of simply running an AI.'

in AI,   Security, Posted by log1p_kr