Practical guides to protect yourself, your family, and your business from AI-driven scams, deepfakes, and emerging cyber threats.
On July 1, 2026, the threat research team at security firm Sysdig published something new: a ransomware attack carried out from start to finish by an artificial intelligence agent, with no human steering it. The team named the operator JADEPUFFER. A large language model, the kind of AI that powers chatbots, broke into a server, stole credentials, moved deeper into the network, planted a way back in, then encrypted and wiped a company's production database. It even wrote notes to itself explaining each step as it went.
Ransomware has always needed a skilled person somewhere in the loop, either typing the commands or writing the script the malware follows. JADEPUFFER is the moment that assumption breaks. If a model can chain the steps of an intrusion on its own, the expertise required to run one drops to whatever it costs to rent an AI agent. That is why this incident reframes the risk for anyone still running a server they have stopped thinking about.
The way in was an old bug that already had a patch. JADEPUFFER exploited CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source tool teams use to build AI apps and agent workflows. The flaw lets anyone who can reach the server run their own Python code on it, no login required. It was fixed in Langflow version 1.3.0 and added to the US government's Known Exploited Vulnerabilities list back in May 2025, yet thousands of servers were never updated. Langflow machines make an appealing first stop because they sit on the internet and tend to hold the API keys and cloud credentials for every AI service they connect to.
Once inside, the agent worked at a pace no human matches. It mapped the machine, then swept it in parallel for secrets: AI provider keys, cloud logins for Western and Chinese platforms alike, crypto wallets, and database passwords. It raided a MinIO storage server (a self-hosted system for holding files and backups) using the factory-default login minioadmin:minioadmin, which nobody had changed. It set a scheduled task to ping the attacker's server every thirty minutes so it could return. Then it pivoted to the real prize: a separate internet-facing server running a MySQL database and Alibaba's Nacos, a settings directory common in microservice setups. It logged in as root, seized Nacos using a 2021 authentication bypass and a default signing key the software has shipped unchanged since 2020, and planted its own administrator account.
The clearest evidence was the code itself. The attack payloads were full of plain-English commentary explaining why each step was being taken, the running narration a human operator never bothers to write but a model produces by reflex. It included ranking targets by value and singling out the "largest" database to destroy. The second signature was speed under failure. When a planted admin login failed, the agent diagnosed the exact cause and shipped a correct, fifteen-line, multi-step fix in thirty-one seconds, far faster than a person could read the error and draft a repair. When a database refused to drop because of a foreign-key constraint, the next payload disabled that check and tried again. These were accurate diagnoses, not blind retries.
The concrete damage was one company's production configuration store, encrypted with a key that no longer exists and its backup tables dropped on top. What it means for you is a shift in who has to worry. For years the quiet reassurance was that a neglected, internet-facing server was probably not worth a skilled attacker's time. That reassurance is gone. An agent can spray the entire back catalogue of known bugs across the internet for almost nothing, so the long tail of unpatched systems becomes more exposed, not less. JADEPUFFER used no novel technique at all. It chained a 2025 flaw, a 2021 bypass, a 2020 default key, and a login nobody rotated into a full extortion operation on its own. The skill floor for ransomware has dropped to the price of running a model, and if that model runs on stolen AI credits, the cost is close to zero.
JADEPUFFER is a warning sign, not a catastrophe. None of its moves was clever. What is new is that a model stitched ordinary techniques into a complete attack against a forgotten server, narrating its own reasoning the whole way. That narration is oddly useful to defenders, because an agent that explains its intent in its own payloads is easier to catch than a quiet human. Bring one question to your next security review: if a machine probed every server you own tomorrow, which one have you stopped patching because you assumed nobody would bother?


