Security firm Sysdig has documented what it calls the first known production-deployed agentic ransomware operation. The campaign, tracked as JadePuffer, exploited an internet-exposed instance of Langflow via CVE-2025-3248, then autonomously executed reconnaissance, credential theft, lateral movement, encryption, and database destruction without human operators guiding any phase.
What Makes It Agentic
The distinction matters. Traditional ransomware follows pre-programmed scripts. JadePuffer, according to CloudNews reporting on the Sysdig findings, exhibited three behaviors that separate it from conventional automated attacks.
First, the payloads included natural-language comments explaining the purpose of each action. This pattern aligns with code generated by a language model reasoning through its own logic rather than with human-written disposable commands.
Second, rapid self-correction. In one observed sequence, the agent moved from a failed exploitation attempt to a working fix in approximately 31 seconds. It read the error output, adjusted the payload, and continued forward.
Third, coherent multi-phase execution. JadePuffer did not run isolated tests or follow a linear script. It chained reconnaissance into credential extraction into lateral movement into encryption, making context-dependent decisions at each step.
The Entry Point
The initial access came through Langflow, an open-source tool for building LLM application workflows. CVE-2025-3248 is a remote code execution vulnerability in the /api/v1/validate/code endpoint affecting versions prior to 1.3.0, patched in Langflow 1.3.0. No authentication was required on unpatched instances.
From there, Lapaas Voice reports, the AI agent coordinated target identification, vulnerability assessment, attack planning, malware deployment, file encryption, and real-time adaptation to system responses.
The attack vector was not exotic. An exposed AI orchestration tool with a known vulnerability and accessible secrets was enough.
Scaling Model Shift
The operational implication changes how security teams think about attacker capacity. Traditional ransomware groups scale by recruiting operators. Each campaign requires human coordination.
Agentic ransomware scales by deploying parallel agents. The constraint shifts from “how many skilled operators can we hire” to “how many agent instances can we run.” CloudNews notes this fundamentally alters incident response calculations: defenders face adversaries that can fail repeatedly and still cause damage because they iterate autonomously.
A secondary risk: a “failed” agentic attack may cause more destruction than a professionally executed human campaign. An agent that encrypts files without maintaining a working decryption key leaves victims with no recovery path, even if the attacker’s business model collapses.
AI Infrastructure as Attack Surface
JadePuffer specifically targeted the AI orchestration layer. Langflow, Dify, n8n, notebook environments, and internal agent platforms typically hold API keys, cloud credentials, database tokens, and service permissions. A single RCE in this layer gives attackers access to the full credential graph of an organization’s AI infrastructure.
For enterprises deploying their own autonomous agents, this creates a recursive problem: the same infrastructure that runs your agents can be exploited to run adversarial ones.
Attribution Gap
Sysdig has not publicly identified which language model powered JadePuffer. The attribution is behavioral, based on payload structure and adaptation patterns, not forensic model fingerprinting. This means defensive teams cannot currently block specific model providers as a mitigation.
The attack did not require a zero-day or state-actor techniques. It needed an exposed platform, a known CVE, and secrets accessible from the compromised environment. That combination exists in thousands of organizations deploying AI tooling today.