For years, security researchers have warned that artificial intelligence would eventually run a cyberattack from start to finish without a human clicking a single button. That moment appears to have arrived. Cloud security firm Sysdig says it has captured the first fully documented case of what it calls agentic ransomware: an attack in which an AI agent handled reconnaissance, credential theft, lateral movement, privilege escalation, and data destruction almost entirely on its own.
The operation, which Sysdig’s Threat Research Team named JadePuffer, unfolded in late June 2026 and targeted a production database server. What makes it different from the ransomware campaigns of the past decade is not the outcome. Companies have been losing data to extortion gangs for years. What is new is who, or rather what, was driving.
How the Attack Actually Worked
JadePuffer’s entry point was an internet-facing instance of Langflow, an open source framework used to build AI applications, through an unauthenticated remote code execution flaw tracked as CVE-2025-3248. From there, the AI agent harvested cloud and LLM-provider credentials sitting on the compromised host and used them to pivot toward its real target: a separate, internet-exposed server running a MySQL database alongside Alibaba’s Nacos configuration service.
To get into Nacos, the agent exploited an authentication bypass vulnerability that has been public knowledge since 2021, a reminder that attackers, human or otherwise, rarely need a fresh zero-day when old, unpatched bugs are still sitting on the internet. Once inside, the agent methodically encrypted all 1,342 configuration items stored on the server, then deleted the originals so that even a ransom payment could not restore the data. It closed the operation by dropping a Bitcoin ransom note.
None of that sequence, on its own, is unusual for a ransomware crew. What stood out to Sysdig researchers was how the agent handled friction. When an early attempt to log into an admin account failed, the AI diagnosed the cause of the failure, adjusted its approach, and successfully regained access in 31 seconds, without waiting for a human operator to weigh in. Sysdig also found that more than 600 payloads generated during the operation carried plain-language comments in which the agent narrated its own reasoning, essentially leaving behind a diary of its decision-making as it worked.
A Warning Sign, in the Researchers’ Own Words
Michael Clark, Sysdig’s Senior Director of Threat Research and the author of the report, did not mince words about what the incident represents. “JadePuffer is a warning sign,” Clark wrote. “It’s a marker of where extortion tradecraft is heading. An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence, and destroyed a database, narrating its own intent the entire way.”
Clark also pointed to the economics of the shift, which may matter more than the technical novelty. “The skill floor for running ransomware has dropped to whatever it costs to run an agent,” he noted, adding that when that agent is operating on stolen cloud credentials through so-called LLMjacking, the cost to an attacker can be close to zero. Ransomware used to require a chain of specialists: someone to gain access, someone to move laterally, someone to handle encryption and negotiation. JadePuffer suggests a single operator with API access to a capable model can now approximate that entire crew.
Not Fully Autonomous, and That Nuance Matters
It is worth resisting the more breathless version of this story. Several outlets that reviewed Sysdig’s findings, including TechCrunch, pushed back on the idea that JadePuffer ran completely without human involvement. A person still had to choose the target, set up the initial infrastructure, and point the agent at its objective. What the AI handled independently was everything that came after that starting gun: the exploitation, the credential reuse, the lateral movement, and the destructive finale.
That distinction is not just semantic. It tells defenders where the actual shift in labor has happened. Attackers still need to make strategic decisions up front, but the tedious, error-prone middle of an intrusion, the part that used to require a skilled operator sitting at a keyboard for hours, can now be delegated to software that adapts faster than most security teams can respond.
Part of a Bigger Pattern in Agentic AI Security
JadePuffer did not appear in a vacuum. It lands amid a wider pattern of exploitable AI agents turning up inside mainstream enterprise software, where researchers keep finding that agents given broad access to corporate systems can be manipulated or can simply make destructive choices on their own. The common thread is that autonomy, the very feature companies are racing to deploy, is also what makes an AI agent dangerous once it falls into the wrong hands or is given too much trust.
The old assumption in incident response was that a human attacker needs time to figure out what to do next after something goes wrong mid-intrusion, and that pause is often when defenders catch the intrusion. JadePuffer’s 31-second recovery from a failed login suggests that assumption no longer holds for agentic attackers, which is a genuinely uncomfortable adjustment for security teams that built their playbooks around human response times on both sides of the fight.
Why the Timing Makes It Worse
This attack also lands at a moment when the raw volume of ransomware was already climbing sharply. Ransomware attacks in the United States have already surged by nearly 150 percent over the past year, according to industry tracking, well before agentic tooling entered the picture in a documented, public way. If autonomous agents genuinely lower the cost and skill required to run a full campaign, that existing growth curve has little reason to flatten out.
The Langflow flaw that gave JadePuffer its foothold is also a useful reminder of a much older problem that AI has not solved: patching discipline. Old, known vulnerabilities remain the easiest way into most networks, agentic or not, and recently disclosed flaws in widely used software tend to get weaponized within days of becoming public. An AI agent that can scan for, identify, and exploit those gaps faster than a human simply shrinks the window defenders have to respond.
What Defenders Are Being Told to Do Now
Security researchers tracking the fallout from JadePuffer are converging on a few concrete recommendations rather than vague calls for vigilance. The first is treating AI agents themselves as a category of insider risk, an approach some in the industry are calling agent zero trust, which means giving any autonomous system the narrowest possible scope of access and cryptographically verifiable identity rather than broad standing credentials.
The second is accepting that incident response plans built around human attacker timelines need to be rewritten. A playbook that assumes an intruder needs hours to escalate privileges or move laterally is no longer a safe assumption when an agent can retry a failed step and succeed within seconds. Segmentation, strict credential hygiene, and behavior-based detection that flags unusual automation patterns, rather than just known malware signatures, are being pushed to the top of the priority list.
Finally, and perhaps most practically, organizations are being urged to close the boring gaps first. JadePuffer did not need a novel exploit to get moving. It needed an internet-facing service running old software and a four-year-old authentication bug that nobody had gotten around to patching. AI made the intrusion faster once it was inside, but a human still left the door open.
The Bigger Picture
Whether JadePuffer turns out to be a one-off proof of concept or the first entry in a long line of AI-driven extortion campaigns, it has already done something important: it moved the conversation about agentic AI risk from a hypothetical to a documented, timestamped case study. Security teams no longer have to argue about whether an autonomous agent could run a ransomware operation end to end. They now have a report, a named threat actor, and a 31-second answer to how fast that agent can recover when something goes wrong.
The uncomfortable part is that the defenses built to catch human intruders were never designed for an opponent that does not get tired, does not hesitate, and does not need to sleep between one failed login and the next successful one.

