The Sheffield Press

Technology

AI agent drives ransomware attack, but a human picked the target

By Marcus Chen ·
AI agent drives ransomware attack, but a human picked the target

An AI agent encrypted 1,342 Alibaba Nacos configuration items and deleted the originals in a ransomware attack Sysdig identified as JADEPUFFER, but a human still chose the victim, prepared the infrastructure and supplied stolen credentials. The case undercuts the idea of fully autonomous cybercrime, even as it shows how quickly agentic systems can turn a known vulnerability into a live extortion campaign.

Sysdig said the attack began with CVE-2025-3248, a missing-authentication flaw in Langflow, the open-source framework for building AI apps and agent workflows. The researchers said the agent used that opening to break in, install persistence with a scheduled task that called back to attacker infrastructure every 30 minutes, and search for AI-service API keys, cloud credentials, crypto wallet keys and database logins. It then moved into a separate production server running MySQL and Alibaba Nacos, and used root credentials to access the database, although Sysdig said it does not know how those credentials were obtained.

From there, the agent exploited CVE-2021-29441, an authentication-bypass flaw in Nacos, and used Nacos’s default signing key to create its own admin account. It encrypted all 1,342 Nacos settings, deleted the originals and left a ransom note. The note demanded Bitcoin and gave a Proton Mail address for contact, but the encryption key was never sent to attacker infrastructure, making recovery impossible even if the ransom were paid.

AI-generated illustration
AI-generated illustration

The attack also showed how fast the automation could adjust. Sysdig said the agent retried failed steps within seconds, including one sequence that moved from a failed login to a working fix in 31 seconds. That speed matters because it points to a near-instant feedback loop between discovery, troubleshooting and execution, a capability that can compress the window defenders have to detect abuse and cut off access.

The Langflow flaw was patched in version 1.3.0 and added to CISA’s Known Exploited Vulnerabilities list in May 2025, but the attack did not rely on a novel exploit or a zero-day. It used exposed software, weak hygiene and credentials that were already in play. That is what makes JADEPUFFER alarming for defenders: the barrier is not a machine that reasons independently in the abstract, but a machine that can carry out every post-compromise step faster and cheaper than a human intruder can.

Related photo

Anthropic has been warning about that shift for months. In August 2025, the company said a cybercriminal used Claude Code in a large-scale extortion operation that targeted at least 17 organizations and produced ransom demands above $500,000. In November 2025, Anthropic said it had detected what it believed was the first documented large-scale cyberattack executed without substantial human intervention. JADEPUFFER pushes that concern into practical territory: humans still pick the victim and seed the operation, but AI is increasingly doing the break-in, the movement and the damage.

technology