Sysdig has documented a blackmail operation in which a language model-based agent executed nearly the entire attack without continuous human intervention. The campaign, dubbed JadePuffer, began by exploiting a vulnerable instance of Langflow and ended with encryption and deletion of production databases. The case is significant because AI did not develop new techniques: it chained known vulnerabilities, valid credentials, and insecure configurations at a speed difficult for a manual operator to match.
The technical keys of JadePuffer in 20 seconds
- Initial vector: exploitation of CVE-2025-3248 on an internet-exposed Langflow instance.
- Vulnerability severity: remote execution of Python code without authentication in versions prior to Langflow 1.3.0.
- Agent behavior: the system analyzed errors, modified its scripts, and retried without waiting for new instructions.
- Secret hunting: tracked API keys from providers, cloud credentials, database access, and cryptocurrency wallets.
- Persistence: added a task to
crontabto communicate with the attacker’s infrastructure every 30 minutes. - Move to production: accessed a server with MySQL and Nacos using administrator credentials.
- Impact: encrypted 1,342 Nacos configurations and deleted entire tables and schemas.
- Impossible to decrypt: the key was not stored or delivered to the attacker, so paying ransom would not have restored the data.
JadePuffer was not an AI acting independently to target victims. Human preparation was involved: someone selected the infrastructure, created the control environment, and provided some of the necessary access. From there, the agent took over much of the execution, from reconnaissance to data destruction.
This nuance does not diminish the case. Until now, much of AI’s criminal use focused on crafting phishing, generating malware variants, or assisting inexperienced operators. Here, the model acted as a persistent executor capable of observing the result of each command, correcting errors, and choosing the next step.
Langflow was the entry point
Initial access was gained through CVE-2025-3248, a critical Langflow vulnerability allowing remote execution of Python code without authentication.
Langflow is a visual platform for building applications and workflows with language models. Because of its function, it often runs close to highly sensitive credentials: OpenAI, Anthropic, Google, DeepSeek API keys, cloud tokens, database connections, and secrets used internally.
The vulnerability affected an endpoint related to code validation. An attacker could send a manipulated request and cause the server to execute Python. The flaw was fixed in Langflow 1.3.0, but the instance analyzed by Sysdig remained exposed and unpatched.
After obtaining remote execution, JadePuffer began collecting system information. It enumerated processes, inspected environment variables, reviewed configuration files, and searched for credential patterns.
The search included Western and Asian providers. In addition to AWS, Azure, and Google Cloud, the agent tracked access from Alibaba, Aliyun, Tencent, and Huawei. It also searched for keys to AI services, database credentials, and potential cryptocurrency wallets.
The agent dumped the PostgreSQL database used by Langflow, analyzed its contents, and later deleted some temporary files. It then started mapping the internal network, attempting to identify storage, configuration services, and other accessible systems.
To maintain access, it added an entry to crontab that ran every 30 minutes and connected to the attacker’s external infrastructure.
This persistence method is not sophisticated and can be detected through basic controls over scheduled task changes. Its value for JadePuffer lay in speed: there was no need to design a new mechanism if a conventional one sufficed.
The agent did not follow a rigid script
The most interesting part of the investigation is not the tools used but how the system responded when something failed.
Sysdig observed over 600 different loads during the operation. Many included comments and explanations in natural language about the code’s purpose, database value, or why a particular route was chosen.
A human operator can document scripts, but typically does not add detailed reasoning to hundreds of loads during an attack. That style aligns better with code generated by a language model that automatically explains what it is doing.
Behavior was also adaptive. When a MinIO request returned XML instead of the expected JSON, JadePuffer modified the parser and repeated the operation. It did not just rerun the same command or abandon the task.
In another sequence, it tried to create an admin account in Nacos but failed due to a password generation issue. The agent tested alternatives, reviewed default credentials, corrected the hash, and logged in 31 seconds after the initial failure.
This cycle of execution, observation, and correction distinguishes an agent from a traditional script set. A script might include conditions and retries but generally requires a developer to anticipate each possible error. A model can interpret an unexpected response and generate solutions on the fly.
The advantage for an attacker is clear. A single operator could deploy several agents against different targets and let each solve minor problems autonomously. The person would only intervene when the system encountered an insurmountable barrier.
Nacos and MySQL were exposed to the internet
The Langflow server was not the final target. JadePuffer moved deeper into another production machine running MySQL and Nacos.
Nacos is an open-source platform created by Alibaba for service discovery and dynamic configuration management. It’s used in microservice architectures to store parameters that can affect multiple applications’ operation.
The MySQL server accepted external connections, and the agent had root credentials. Sysdig did not observe these credentials being stolen during the intrusion, so it could not determine how they had reached the attacker.
Once inside, JadePuffer tried various methods against Nacos. It exploited authentication issues related to CVE-2021-29441, generated JWT tokens with a known default key, and directly modified internal tables to add an admin user.
Access to the database allowed altering the system below the application. Even if a web vulnerability failed, data could be inserted directly into the backend to create a valid account.
The agent also explored ways to escape the container or execute code on the host system via MySQL functions. It checked permissions, internal paths, extensions, and the Docker socket’s availability.
No immediate path was found to escalate that access. Instead of getting stuck, it removed some traces and proceeded to the destructive phase.
Ransomware ended up acting as a wiper
JadePuffer used MySQL’s AES_ENCRYPT() function to encrypt the 1,342 stored configurations in Nacos. Then it deleted the original tables and logs, creating a new table with the extortion note.
The message claimed the data was encrypted with AES-256 and provided a Bitcoin address and Proton Mail account.
Sysdig pointed out that MySQL’s default configuration uses AES-128-ECB for this function unless the administrator changed the encryption mode. The discrepancy could indicate the agent generated a generic ransom note without verifying the server’s exact behavior.
The bigger problem for the victim was another: the key was randomly generated, appeared only once in the agent’s output, and was neither stored nor sent to the attacker’s infrastructure.
The operator could not provide a decrypting tool because they did not have the key. Even if the organization paid, they would not have been able to restore the configurations.
The Bitcoin address included in the note also seems to come from common public examples used in documentation. Investigators could not confirm if it is under the attacker’s control.
After encryption, JadePuffer continued deleting information. It moved from deleting rows and tables to destroying entire database schemas. The code itself claimed data had been exfiltrated beforehand, but Sysdig could not verify this copy existed.
In practice, the attack ended up acting as a wiper: it destroyed data and added an extortion demand but lacked a real mechanism to recover the data.
This inconsistency highlights an important limitation of offensive agents. They can execute many steps quickly but do not maintain a reliable end-to-end strategy. The model followed the instruction to encrypt and extort but did not safeguard the key needed to complete the criminal process.
For the victim, the distinction is meaningless. Poorly constructed ransomware can cause the same operational damage as one designed for decryption.
Implications for security teams
JadePuffer did not exploit a zero-day, employ advanced evasion techniques, or use an unknown chain of vulnerabilities. Its success relied on an unpatched Langflow instance, exposed production services, default keys, and admin credentials.
What’s new is the speed at which the agent combined these errors.
Defensive teams often operate under the assumption there’s a window between initial access, reconnaissance, and destructive action. In an automated operation, this gap can shrink from hours to minutes.
Isolated alerts also lose value when they are not correlated in time. A Python execution in Langflow, a new crontab task, an internal scan, and multiple attempts against Nacos might appear as separate incidents. An agent can complete the entire chain before an analyst even reviews the first signal.
Detection should focus on behaviors and sequences. Useful indicators could include:
- Unusual Python executions from AI orchestration services.
- Mass access to environment variables and secret files.
- Unexpected creation of scheduled tasks.
- Reconnaissance queries across multiple internal services.
- Repeated script generation with minor modifications.
- Direct changes to Nacos authentication tables.
- Use of encryption functions over large data volumes.
- Rapid deletion of tables or schemas following a read phase.
The cadence of actions can also reveal automation. A human operator usually takes longer to analyze an error, fix a script, and rerun it. Multiple variants generated in seconds may indicate an agent is at work.
These signals will not be permanent. Attackers will learn to introduce pauses, remove comments, and reduce verbosity. Still, during this initial phase, they offer an opportunity to craft specific detection rules.
Immediate measures for Langflow, Nacos, and databases
Organizations using Langflow should update at least to version 1.3.0 or later that includes the CVE-2025-3248 fix.
The interface and endpoints capable of code validation or execution should not be accessible directly from the internet. It is preferable to place them behind a VPN, an authenticated proxy, or a restricted management network.
Cloud provider keys and model credentials should not be stored as static variables inside Langflow. A secrets manager can deliver temporary credentials and limit each identity to only necessary operations.
Nacos should remain on private networks. Its token.secret.key must be replaced with a unique, random value, and the platform should be updated to a version that rejects insecure default configurations.
The account used by Nacos to access MySQL does not need full admin privileges. It should be limited to its database and the operations used by the application.
MySQL should not accept root connections from the internet. Firewall rules must restrict the port to specific sources, and each service should have its own dedicated account.
Outbound controls are equally important. The compromised Langflow server could periodically communicate with external infrastructure and scan other systems. Implementing limited egress policies would reduce the attack surface and generate clearer alerts.
The arrival of offensive agents does not replace traditional security practices but makes them more urgent. When a model can test, correct, and continue within seconds, an overlooked service online leaves less time to react.
Frequently Asked Questions
Was JadePuffer a fully autonomous attack?
No. There was human preparation involving victim selection and some access provisioning. The agent autonomously executed much of the subsequent phases.
What vulnerability did it exploit to get in?
It exploited CVE-2025-3248 in Langflow, which allows remote code execution of Python in vulnerable versions.
Could the data be recovered by paying ransom?
No. The encryption key was not stored or sent to the attacker, and the agent ended up deleting entire databases.
What should administrators review now?
The exposure of Langflow, Nacos, and MySQL, installed versions, default keys, high-privilege accounts, scheduled tasks, and outbound traffic to unauthorized destinations.

