AI Agent’s First Solo Ransomware Attack: Database Breached Within One Hour

Sysdig reveals the world’s first fully autonomous ransomware attack carried out end-to-end by an AI Agent, JADEPUFFER. From vulnerability exploitation, credential theft, and lateral movement to database encryption, the entire process required no human intervention, with the attack chain completed in less than one hour.
Sysdig dropped a report yesterday that shook the cybersecurity world: an AI Agent that independently executed an entire ransomware chain—from vulnerability detection, intrusion, lateral movement, credential theft, to database encryption—without any human involvement. They labeled this attacker JADEPUFFER.
This is the first publicly disclosed case with complete forensic evidence of a fully autonomous AI Agent ransomware attack. Previously, discussions about AI in cyber attacks mostly focused on phishing email generation, vulnerability code assistance, or social-engineering script optimization—cases where AI acted as a copilot. The significance of the JADEPUFFER incident lies in this: the copilot has taken the driver’s seat, controlling the steering wheel, accelerator, and brakes all by itself.

An “Unoriginal” But Chilling Attack
Let’s start with the conclusion: this attack did not use any zero-day exploits or introduce any new offensive techniques. What’s frightening is that all methods were old tricks—only this time, their combination, decision-making, and execution were entirely handled by AI, with a speed and precision that human red teams can hardly match.
The entry point was a Langflow service exposed to the internet. Langflow, a popular visual Agent orchestration tool within the LangChain ecosystem, has a critical vulnerability, CVE-2025-3248, which allows remote execution of Python code without authentication. The flaw was patched in version 1.3.0, and in 2025 CISA added it to the “Known Exploited Vulnerabilities” list—yet many unpatched instances remain publicly exposed. This is a common illness across AI infrastructure globally: fast to deploy, slow to patch.
After breaking in, JADEPUFFER’s first action was not to drop malware but to systematically inventory the environment, targeting very specific items:
- API keys of large model services: OpenAI, Anthropic, DeepSeek, Gemini
- Cloud platform credentials: Alibaba Cloud, Tencent Cloud, Huawei Cloud, AWS, Google Cloud, Azure
- Database accounts and configuration files
- Cryptocurrency wallets and seed phrases
- Langflow’s own PostgreSQL database export
This “shopping list” is quite revealing. Large model API keys ranked first—virtually a declaration that the AI Agent needed to “recharge itself.” Stolen keys can power more attacks, generate additional decision chains, or even be sold for profit. It echoes the logic of traditional cybercrime stealing cloud credentials for cryptomining—the target simply shifted to inference tokens.
From Langflow to MySQL: A Textbook Lateral Path
After initial foothold, the AI executed two very “professional” actions:
First, it used MinIO’s default credentials minioadmin to access object storage and download stored access key configuration files. This is textbook “easy points for default passwords”—any human pen tester spotting MinIO would try this instinctively; the AI just formalized that reflex.
Second, it planted a scheduled task on the victim machine to call back its C2 server every 30 minutes. The timing is deliberate—too frequent risks EDR detection for abnormal outbound traffic; too sparse risks losing sync during incident response. A half-hour heartbeat is common among real-world red teams.
The real kill shot came next. JADEPUFFER pivoted to another production server on the same subnet running a MySQL database and Alibaba’s open-source configuration center Nacos.
- First logged in using MySQL’s root account (credentials likely sourced from earlier config files)
- Then chained CVE-2021-29441 (Nacos authentication bypass)
- Combined with an unchanged default JWT signing key
Three hits in one, granting full Nacos admin access, and planting a hidden administrator account into the database. After that, encryption, data exfiltration, or destruction was a matter of time.
Note the year of CVE-2021-29441—2021. A four-year-old vulnerability still running naked in production environments needs no further explanation. Nacos is extensively used across companies; if you happen to run an unpatched instance with the default JWT key, fix it now.
Breach in an Hour: AI Shifts the Tempo of Cyber Operations
Sysdig previously reported a similar case with timestamps: from initial exploit to data exfiltration, total time under one hour. That time the breach started from a vulnerable marimo notebook; the AI obtained workload credentials, stole AWS keys, scanned AWS Secrets Manager, found an SSH key, jumped to a bastion host, and grabbed a PostgreSQL database—all seamlessly.
Sysdig’s Senior Director of Threat Research, Michael Clark, said something that hits hard:
Attackers can compress what previously took hours of human analysis and decision-making into mere minutes using AI. Purely relying on patching to defend against all intrusions is increasingly unrealistic—your security resilience depends on how fast you can detect, assess, and contain incidents once they start.
In plain words: human analysts parsing logs, holding meetings, coordinating across departments—the old playbook can’t keep up anymore.
Researchers determined the attack scripts were LLM-generated in real time rather than prewritten, based on four behavioral indicators detailed in Sysdig’s report. The key measure was dynamic adaptation to the environment—handling different database versions, shells, and privilege layers—beyond what static scripts can achieve.
Not an Isolated Case: AI Agent Attacks Move from PoC to Real-world
Zooming out, JADEPUFFER is not the first autonomous AI Agent attack of 2026.
In late February, McKinsey’s internal AI platform Lilli was compromised by CodeWall’s autonomous agent, which—without any internal credentials—breached the system within two hours, via SQL Injection, exposing 46.5 million chat records, 728,000 documents, and 57,000 user accounts, with even its System Prompt stored in a writable database. That was a red team exercise—a “white-hat feasibility test”; JADEPUFFER, however, is a real-world attack, fundamentally different.
Combine that with the recent 360 Ransomware Trends Report 2025 stating “AI is reshaping the ransomware landscape, evolving from auxiliary tool to core engine,” and you see a clear curve forming:
- 2023–2024: AI assists phishing, evasion, and payload crafting—human-led
- 2025: AI enters decision chains—humans still make key judgments
- Early 2026: Fully autonomous attack agents emerge—humans take a back seat
What’s next? Most likely “collaborative attack agents”—one for reconnaissance, one for exploitation, one for persistence, one for monetization—each working asynchronously. This architecture is already standard in legitimate AI Agent applications; replicating it on the attacker’s side is trivially easy.
What This Means for Developers and Ops Teams
Practically speaking, a few priorities need reshuffling:
1. Stop exposing AI orchestration tools directly to the internet.
Langflow, Dify, n8n, marimo notebooks—all are essentially “remote code execution as a service.” Once public-facing, they become high-value targets. Vulnerabilities like CVE-2025-3248 will keep surfacing—fast iteration, massive codebases, limited audits. Either keep them internal, wrap them behind SSO or gateways, or at least put a WAF in front.
2. Upgrade API key management for AI Agents.
This attack prioritized stealing large model API keys—meaning LLM keys now rank alongside cloud credentials in attacker value models. Recommendations:
- Separate keys by tenant and environment, not a single master key
- Set usage rate and spending limits (most aggregators support this)
- Host keys in a management service—don’t hardcode them
- Rotate regularly, so exposure has a damage-limiting window
One more note: many teams connect OpenAI, Anthropic, Gemini, and DeepSeek to one shared key for convenience. Using aggregators like OpenAI Hub helps unify limits, quotas, and call-origin controls. If a key leaks, you can instantly cut it off globally—assuming alerts and limits are properly configured.
3. Re-scan for default passwords and old vulnerabilities.
JADEPUFFER used minioadmin, Nacos’ default JWT, and CVE-2021-29441—all timeworn issues. The AI’s advantage is patience and coverage—it will methodically test everything humans skip for time.
4. Improve telemetry granularity and real-time response.
Michael Clark’s statement—“resilience depends on how fast detection and containment happen”—is no exaggeration. A consistent 30-minute heartbeat, sudden new Nacos admin accounts, mass root database exports—all are observable if proper logging and alert rules are in place.
Conclusion: The Era of Symmetrical Offense and Defense Is Over
Traditionally, attack and defense rhythms were roughly symmetrical—weeks of attacker prep countered by days of defender response. The JADEPUFFER event broke that symmetry: attack decisions happen in minutes, while defenses still respond in hours—or days.
Bridging that gap by manpower is impossible. Using AI to defend against AI is the only path forward—but it demands genuine investment in automated playbooks, telemetry coverage, and model capabilities, not just marketing labels like “AI-powered SIEM.”
This battle has just begun. JADEPUFFER won’t be the last codename; similar incidents will likely appear quarterly over the next year. For developers and ops teams, the actionable step is clear: patch outdated components, rotate stale keys, configure alerts—do it now, before AI attackers take the initiative.
References
- ITHome: The world’s first AI Agent ransomware attack exposed—fully autonomous from vulnerability exploitation to database encryption — Original Sysdig disclosure of the JADEPUFFER incident, with full attack chain details



