
A ransomware campaign called JADEPUFFER just ran a complete extortion operation — initial access, reconnaissance, credential theft, lateral movement, and database encryption — without a human operator making a single decision. The entry point was a LangFlow server. The target was a production Nacos database. The encryption key was generated once, printed to stdout, and never stored. If you’re running LangFlow anywhere on a public IP, this is about you.
What JADEPUFFER Is
Sysdig’s Threat Research Team disclosed JADEPUFFER on July 1, 2026, calling it the first documented agentic ransomware operation: a complete attack lifecycle driven end-to-end by an LLM agent. Not a semi-automated toolkit. Not a script with AI-assisted scanning. An agent that made decisions, hit obstacles, diagnosed its own failures, and kept moving — executing over 600 distinct payloads without anyone at a keyboard.
The entry point was CVE-2025-3248, a CVSS 9.8 unauthenticated RCE flaw in LangFlow’s code validation endpoint. This vulnerability was patched in LangFlow 1.3.0 in April 2025 and added to CISA’s Known Exploited Vulnerabilities list in May 2025. As of the attack, 466 internet-exposed LangFlow instances were still visible on Censys. The flaw lets anyone who can reach the server execute arbitrary Python — no authentication required.
The Attack That Self-Corrected in 31 Seconds
What distinguishes JADEPUFFER from scripted automation isn’t the attack chain — it’s the behavior inside it. At 19:34:36 UTC, the agent attempted to create an admin account and failed. A scripted attack either retries or gives up. JADEPUFFER diagnosed the issue: a subprocess PATH problem preventing bcrypt hash generation. It switched to direct library imports, verified functionality, and redeployed a corrected payload at 19:35:07 UTC — 31 seconds later. The login succeeded at 19:35:18.
The same adaptive reasoning appeared throughout. When an API call using ?format=json returned XML instead, the agent rewrote its parser on the spot. When MySQL table drops failed due to foreign-key constraints, the next payload included SET GLOBAL FOREIGN_KEY_CHECKS=0. These are not generic retries — they are root-cause fixes. Sysdig describes the payloads as “self-narrating”: code annotated with natural-language reasoning explaining each step, which is characteristic of LLM-generated code, not human operators.
Why LangFlow Is the Target
LangFlow servers are an unusually attractive entry point. They sit exposed on the internet, often spun up quickly without hardening, and they hold credentials for nearly everything else in a developer’s stack. JADEPUFFER’s reconnaissance phase harvested API keys for OpenAI, Anthropic, DeepSeek, and Gemini; cloud credentials for AWS, GCP, Azure, Alibaba, Tencent, and Huawei; and cryptocurrency wallet keys. It also accessed a MinIO object store using the factory default credentials: minioadmin:minioadmin.
After establishing persistence via a cron job beaconing every 30 minutes, the agent pivoted to a separate production MySQL server running Alibaba Nacos. It exploited CVE-2021-29441, a Nacos authentication bypass from 2021, using the platform’s publicly documented default JWT signing key that the victim had never changed. It encrypted all 1,342 Nacos service configuration items using MySQL’s AES_ENCRYPT() function, dropped the original tables, and left an extortion note in a table called README_RANSOM. ByteIota previously covered a separate LangFlow RCE from 2026 — this is a different vulnerability with a far more sophisticated attacker.
Paying the Ransom Won’t Work
The encryption key was derived from concatenated UUID4 values, printed once to stdout, and never stored or transmitted to the attacker. This isn’t a gap in execution — it may be deliberate. There is no path to recovery through payment. Backups are the only option, which places this in a different category from traditional ransomware: the financial leverage model simply doesn’t function. Prevention is the only effective response.
Five Things to Do Right Now
- Patch LangFlow immediately. CVE-2025-3248 was fixed in version 1.3.0 in April 2025. If you haven’t updated since then, you are exposed to unauthenticated RCE on a CVSS 9.8 vulnerability.
- Remove LangFlow from the public internet. Put it behind a VPN, private network, or restrict access by IP. Code-execution endpoints have no business being publicly reachable.
- Move API keys and cloud credentials out of environment variables. LangFlow servers should hold no AWS keys, no OpenAI keys, no cloud credentials in their environment. Use a dedicated secrets manager. This is the primary reason JADEPUFFER targets these servers.
- Harden Nacos before tomorrow. Change the default JWT signing key — it has been publicly documented since 2020. Restrict Nacos to internal-only network access and apply the CVE-2021-29441 patch.
- Deploy runtime behavioral monitoring. Behavioral traces still exist: unexpected cron jobs, suspicious authentication sequences, privilege escalation, unusual egress traffic. Endpoint detection catches these patterns even when the attack moves at machine speed.
The Skill Floor Just Dropped
JADEPUFFER’s significance is not the attack itself — skilled ransomware operators have chained these steps before. The significance is that the skill floor dropped to whoever can configure an LLM agent and find an unpatched server. Shane Barney, CISO at Keeper Security, put it directly: JADEPUFFER is “less a sci-fi anomaly and more a stark warning about the failure of traditional credential management in the face of machine-scale threats.” BleepingComputer’s technical breakdown details how the operation unfolded step by step.
Defenders still hold an advantage: behavioral anomalies don’t disappear because the attacker is an AI. Unexpected processes, outbound connections to unknown IPs, sudden privilege escalation — these remain detectable. The window to act is before your LangFlow server becomes the entry point, not after the README_RANSOM table appears.













