The security firm Sysdig has documented what it calls the first agentic ransomware: an attack where an AI agent ran the whole operation on its own, from break-in to encryption. They named it JadePuffer. This matters because it moves AI from writing code snippets to executing a full attack. Here is what happened, why "agentic" is the key word, and what defenders should do. For the background, see our AI agent security guide.
What JadePuffer is
According to the Sysdig Threat Research Team, JadePuffer is the first documented case it has seen of an extortion operation driven end-to-end by a large language model. Sysdig calls the operator an agentic threat actor: an attacker whose capability is delivered by an AI agent, not a human with a toolkit.
The findings were reported in early July 2026 by outlets including The Register, BleepingComputer and The Hacker News. So this is not one vendor's lone claim. It is one research team's detailed case, picked up widely.
How the attack unfolded
According to Sysdig, the agent's path was methodical. It gained initial access through an internet-facing Langflow instance, exploiting CVE-2025-3248, a remote-code-execution flaw. Langflow is a tool for building AI workflows, which makes the entry point fitting.
From there, Sysdig says the AI agent did the full job itself:
- Reconnaissance on the target.
- Stole credentials, including cloud and LLM-provider keys.
- Moved laterally, set up persistence, and escalated privileges.
- Encrypted the data and left a ransom note.

The most striking part is how it handled problems. According to Sysdig, the agent adapted to failures in real time, retrying failed steps with refined parameters, much like a human would. In one sequence, it went from a failed login to a working fix in 31 seconds. It then used a 2021 authentication bypass to reach a separate production MySQL and Alibaba Nacos server and encrypted 1,342 configuration items.
Why "agentic" changes the threat
The scary detail is not the encryption. It is the speed and independence. A human attacker hits a wall and stops to think. According to Sysdig's account, this agent hit walls and kept going at machine speed, fixing its own mistakes without waiting for a person.
There is also a cruel twist. According to Sysdig, the ransom note's decryption key was never saved. That means the victim cannot recover the files even by paying. Whether that was a bug in the agent's process or by design, the result is the same: destruction, not just extortion.
What it means for defenders and developers
The lesson is not to fear AI. It is to close the doors an agent can walk through. The attack chained known, fixable weaknesses:
- Patch internet-facing tools. CVE-2025-3248 in Langflow was the front door. Do not expose AI-workflow tools to the internet unpatched.
- Kill hardcoded and long-lived secrets. The agent's power came from credentials it could steal and reuse. Scope keys tightly and rotate them.
- Retire old bypasses. A 2021 auth bypass was still live on a production server. Old, unpatched holes are exactly what a fast agent finds.
- Watch for machine-speed behavior. Detection tuned for human pace may miss an agent that acts in seconds. For choosing trustworthy tools, our best coding LLMs 2026 overview helps.
The honest caveats
Two things keep this in proportion. First, this is Sysdig's account of one incident. It is detailed and widely reported, but it is one case, and Sysdig frames it as the first it has documented, not proof of a trend. Second, a human still aimed the agent. The AI did the intrusion, but a person set the goal and the target. This is automation of an attack, not an AI inventing crime on its own.
The honest read: JadePuffer is a real milestone, not science fiction. An AI agent ran a full ransomware attack and fixed its own errors at machine speed. The defenses are the ones you already know: patch, scope secrets, and retire old holes. They just matter more now that the attacker never gets tired. For the wider risk picture, our is ChatGPT safe piece is worth a read.



