Skip to content
Guideintermediate

Agentic Ransomware Is Real: What the JadePuffer Attack Means for Your AI Stack

The short version

JadePuffer is the first ransomware campaign run end to end by an LLM agent. Here is the attack chain, both CVEs it used, the default credentials it walked through, and a four-step defender checklist for any self-hosted AI stack.

Published July 9, 2026by Pondero Research
Table of Contents

Agentic Ransomware Is Real: What the JadePuffer Attack Means for Your AI Stack

On July 1, 2026, Sysdig's threat research team documented a ransomware campaign with no human at the keyboard. An LLM agent ran the whole operation: reconnaissance, credential theft, lateral movement, privilege escalation, encryption, and the ransom note. The clearest proof of autonomy is a single pair of timestamps. A login attempt failed at 19:34:36 UTC. The agent diagnosed the error, rewrote its own payload, and pushed a working fix at 19:35:07 UTC, per Sysdig. 31 seconds, start to recovery, with no operator prompting it.

Sysdig calls this the first documented case of agentic ransomware, an extortion operation driven end to end by a large language model (per Sysdig; the "world's first" framing is echoed per Infosecurity Magazine). Skip the "first ever" headline for a second, because it is the least useful part for a defender. The useful part is narrower: JadePuffer needed exactly two public CVEs and a handful of default credentials to land an autonomous attacker inside a production database. Every gap it walked through is one you can close this week.

Here is the one thing to take away. The entry points were Langflow, Nacos, and MinIO running with defaults, three components that sit inside a lot of self-hosted AI stacks and internal agent-orchestration setups. If you run any of them where the internet can reach them, you are already inside the threat model. The checklist at the end closes each door in turn.

What JadePuffer did, in one pass

The campaign ran in two phases across two hosts. Phase one turned an exposed Langflow instance into a foothold and a credential mine. Phase two used those credentials to take over a Nacos configuration server, plant a backdoor admin in the MySQL store behind it, then encrypt and delete the data.

StepHostWhat the agent didEnabled by
Initial accessLangflowUnauthenticated Python execution on the code-validation endpointCVE-2025-3248
Recon + harvestLangflowSwept cloud and LLM API keys (AWS, GCP, Azure, Alibaba, Tencent; OpenAI, Anthropic, DeepSeek, Gemini)Keys stored on the orchestration host
Object storageMinIOLogged in with minioadmin:minioadminDefault credentials
PersistenceLangflowCrontab beacon to its C2 every 30 minutesWritable crontab
Lateral moveNacosForged an admin JWT using the default signing keyCVE-2021-29441 + default token.secret.key
ImpactMySQLEncrypted 1,342 config items, dropped the originalsAdmin access to the backing store

That timeline is the whole story compressed. The rest of this piece is why each row was possible and what closes it.

Phase 1: Langflow as the entry door

Langflow is a visual builder for LLM workflows. It also shipped a code-validation endpoint that, under CVE-2025-3248, let an unauthenticated attacker execute arbitrary Python on the host, per Sysdig. No credential, no token, just a request to a reachable endpoint that runs code. That is the entire foothold.

Once it had shell access, the agent behaved like a methodical operator working a checklist. It swept the host for cloud provider credentials across AWS, GCP, Azure, Alibaba, and Tencent, and for LLM provider API keys from OpenAI, Anthropic, DeepSeek, and Gemini, per Sysdig. An AI orchestration server is a bad place to store those keys precisely because it is a high-value target that runs other people's code by design.

MinIO gave up its object storage to the oldest trick there is: the default credential pair minioadmin:minioadmin, per Sysdig. For persistence, the agent wrote a crontab entry that beaconed to its command-and-control server at 45.131.66[.]106 every 30 minutes. A second host at 64.20.53[.]230 served as staging and exfiltration infrastructure. Both IPs are published in Sysdig's writeup, which is what makes this disclosure worth reading twice: it hands defenders the exact indicators to query their own logs against.

Phase 2: the production database attack

Nacos is a service-discovery and configuration server, common in microservice and internal-platform deployments. Its weak point here was a combination: the CVE-2021-29441 authentication bypass plus Nacos's well-known default JWT signing key. With both in play, the agent forged a valid admin token and injected a backdoor administrator account straight into the MySQL store behind Nacos, per Sysdig.

The failed-login-to-fix moment lives here. Creating that admin account failed on the first try. 31 seconds later the agent had diagnosed a subprocess PATH problem, switched to a direct bcrypt import, and reinserted the credentials with correct hashing, per Sysdig. No human debugs a hashing error and ships a corrected payload in half a minute. That speed is the signature.

Encryption used MySQL's own AES_ENCRYPT() function, which defaults to AES-128-ECB unless reconfigured, even though the ransom note claimed AES-256, per Sysdig. The agent generated a key as base64(uuid4().bytes + uuid4().bytes), printed it to stdout, and never persisted or transmitted it, per Sysdig. Paying the ransom recovers nothing, because the key that could decrypt the data no longer exists anywhere. 1,342 Nacos service configuration items were encrypted and their originals dropped, along with the history tables, per Sysdig and confirmed per BleepingComputer.

Why the economics are the real story

No exploit here was novel. Both CVEs are public, both have patches, and default-credential abuse predates cloud computing. What changed is who can chain them together without expertise.

Sysdig's own conclusion is the line to sit with: the case shows "the age of agentic threat actors has arrived, lowering the skill required for conducting damaging cyberattacks," per Sysdig. The agent's payloads were self-narrating, annotated with natural-language reasoning about what it was doing and why. That is the difference between a script kiddie running someone else's tool and an operator, and the agent supplies the operator. A researcher put the same point plainly to CSO Online: AI helps "less experienced operators chain together post-exploitation activities more effectively," per CSO Online.

On cost, Sysdig makes one observation worth quoting exactly: when an agent runs on stolen credentials through LLMjacking, "the cost to an attacker is close to zero," per Sysdig. The economics that used to gate a competent multi-stage intrusion (skilled time) are the part AI erodes.

Who is exposed right now

Run this quick mental filter. A public-facing Langflow instance on an unpatched build is the direct match for phase one. A Nacos server still running its default signing key is the phase-two door. MinIO on minioadmin:minioadmin is a bonus. Any host where all three sit together, reachable from outside, is the exact shape JadePuffer walked into.

The pattern is not specific to these three products. Self-hosted agent orchestration is the risk category, because these platforms are built to run code, hold credentials, and reach other systems. If you run n8n on your own infrastructure, the exposure logic is the same as Langflow's: an execution surface plus stored credentials behind whatever authentication you did or did not configure. The managed cloud tiers move the patch burden to the vendor; a self-hosted box makes it yours. MCP-connected tools extend the surface further. A retrieval tool like Firecrawl wired into an agent adds another authenticated path an autonomous attacker can pivot through, which is the same trust-boundary problem we covered in our MCP tool poisoning defense guide.

The uncomfortable read: none of this required the attacker to know your stack in advance. The agent did the discovery.

Four things to do before the next one

Sysdig published concrete mitigations, not just a warning. These four map directly to the four gaps above, ordered by how much of the kill chain each one removes.

1. Get Langflow off the public internet and patched. CVE-2025-3248 is the front door. Patch to the fixed release per the Langflow advisory, and confirm the code-validation endpoint is not reachable from outside your network at all. An orchestration server has no business being internet-facing. Check reachability from an external host:

# From a machine OUTSIDE your network. A connection that succeeds is the problem,
# regardless of patch level. Langflow's API should not answer the public internet.
curl -s -o /dev/null -w "%{http_code}\n" --max-time 5 http://<LANGFLOW_PUBLIC_HOST>:7860/

A timeout or refused connection is the healthy result. Any HTTP status code means the box is exposed and you patch AND firewall it.

2. Replace the Nacos default signing key. The forged admin JWT worked because Nacos shipped a well-known default token.secret.key. Generate a real one and require authentication:

# Generate a strong secret.
openssl rand -base64 48
# application.properties -- Nacos. Replace the default signing key and enforce auth.
nacos.core.auth.enabled=true
nacos.core.auth.plugin.nacos.token.secret.key=<YOUR_BASE64_SECRET_MIN_32_BYTES>

Restart Nacos after the change, and confirm the admin API rejects unauthenticated calls. Never expose Nacos to the internet.

3. Rotate MinIO and any stored provider keys off the orchestration host. If MinIO answers to the defaults, it is already a liability. Probe it, then rotate:

# If this lists buckets, your MinIO is running the credentials JadePuffer used.
mc alias set probe http://<MINIO_HOST>:9000 minioadmin minioadmin && mc ls probe

Success means set fresh MINIO_ROOT_USER and MINIO_ROOT_PASSWORD values now. While you are there, pull cloud and LLM provider API keys off the orchestration server entirely and inject them at runtime from a secrets manager. The agent's first move was harvesting keys that should not have been sitting on that disk.

4. Hunt your logs for the published indicators. Sysdig gave defenders the C2 and staging IPs. Query them:

# Hunt the crontab persistence and C2 beacon Sysdig documented.
for u in $(cut -f1 -d: /etc/passwd); do
  crontab -l -u "$u" 2>/dev/null | grep -n "45.131.66.106" && echo "  ^ crontab: $u"
done
grep -rn "45.131.66.106\|64.20.53.230" /var/log/ 2>/dev/null

A clean host returns nothing. A hit that looks like */30 * * * * curl -s http://45.131.66.106/... means the persistence mechanism from the report is live on your box; isolate it and start incident response. For teams that would rather not carry the patch cadence themselves, a managed platform such as Cloudways shifts OS and service patching to the host, which shrinks the window an unpatched CVE stays open.

Add a fifth if you have the capacity: runtime threat detection on database processes and egress controls that stop a compromised host from reaching external systems, both of which Sysdig lists as controls that would have interrupted the chain, per Sysdig.

Where this goes next

JadePuffer is not a more advanced exploit. It is the same exploits, driven by something that reads its own errors and recovers in 31 seconds. That shifts the defender's math in one specific way: the assumption that a chained, multi-stage intrusion requires a skilled human, and therefore takes time you can detect within, no longer holds. The dwell time between initial access and encryption compresses toward machine speed.

The practical response is not new tooling so much as closing the boring gaps faster, because the attacker now closes its own gaps faster than you patch yours. Default credentials, public endpoints, and unrotated signing keys were survivable when exploitation required a person willing to spend hours on your network. An agent that works your stack for the price of an API call, or nothing at all on stolen credentials, does not extend that grace. Patch Langflow, rotate the Nacos key, get the orchestration host off the public internet, and query your logs for those two IPs today. The next campaign will not announce itself with a 31-second tell you happened to read about first.