JADEPUFFER is believed to be the first documented ransomware campaign executed entirely by an autonomous large language model. The operation completed an end-to-end intrusion with little evidence of continuous human direction, marking a new milestone in how AI is being used during cyberattacks.
After exploiting CVE-2025-3248, a vulnerability affecting the AI application framework Langflow, the campaign expanded into a separate production environment before targeting a MySQL database and Alibaba’s Nacos configuration service.
Using publicly known vulnerabilities and existing enterprise infrastructure, the AI agent carried out the entire ransomware operation, raising new questions about how autonomous AI systems may be used in future attacks.
Why It Matters: JADEPUFFER demonstrates that autonomous AI agents are moving beyond isolated tasks such as writing malware or phishing content. The campaign completed an entire intrusion while responding to changing conditions during execution, suggesting that future attacks may require less operator involvement and place greater pressure on organizations to secure internet-facing applications, identity systems, and AI infrastructure before they become entry points.
- Langflow Provided the Initial Entry Point: JADEPUFFER exploited CVE-2025-3248, an unauthenticated remote code execution vulnerability affecting Langflow. After gaining access, the agent searched the compromised server for credentials and configuration data that could facilitate further access. It extracted additional information from Langflow’s PostgreSQL database and a MinIO object store, then used the recovered credentials to access the intended production environment.
- Autonomous Adaptation Occurred Throughout the Intrusion: Rather than following a fixed sequence of commands, JADEPUFFER adjusted its approach whenever an attempt failed. After an unsuccessful authentication attempt, it generated revised code, recreated a backdoor administrator account, and successfully logged in 31 seconds later. It also changed its XML parsing after receiving an unexpected response and modified database operations when earlier attempts did not succeed.
- Production Systems Became the Primary Target: After reaching the production environment, the agent focused on Alibaba’s Nacos configuration platform and its backing MySQL database. More than 1,300 configuration records were encrypted before production and historical tables were deleted. The attack concluded with a ransom note containing a Bitcoin payment address and contact information. Because the encryption key was generated once and never retained, there was little opportunity to recover the encrypted data.
- Persistence Extended the Attack: Before pivoting to the production environment, JADEPUFFER established persistence on the compromised Langflow server by creating a scheduled task that contacted attacker-controlled infrastructure every 30 minutes. That access could allow the compromised system to remain available even after the initial intrusion had progressed elsewhere.
- Self-Narrating Code Supported the AI Assessment: The generated Python payloads included natural-language explanations describing intended actions, target selection, and expected outcomes. The agent also interpreted information returned by the environment and generated task-specific corrections as the intrusion progressed. Those behaviors differed from conventional scripted ransomware and supported the assessment that an autonomous large language model directed the operation.
Go Deeper -> JADEPUFFER: Agentic ransomware for automated database extortion – sysdig
JadePuffer: The First Complete LLM-Driven Ransomware Attack – 20DarkReading
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.


