A ransomware attack dubbed Jadepuffer has been identified as the first instance of an AI agent executing a full extortion operation without human intervention. According to a report from Sysdig's threat research team, the attack exploited a known vulnerability in Langflow, a tool used for building AI applications. The flaw, CVE-2025-3248, allowed attackers to run their own code on the server without a password. Langflow had already patched this vulnerability in April 2025, yet the patch was not applied, enabling the attack to proceed. The AI agent then moved from the initial server to a production server running a MySQL database, the actual target. The attack demonstrated the capability of AI to automate tasks that traditionally required human involvement, such as credential collection and database encryption.

The most compelling evidence that no human was involved came from a moment when the AI agent attempted to create an admin account, which failed. Thirty-one seconds later, the agent corrected the error by diagnosing the issue, deleting the broken account, and building a working one from scratch. This level of automation, according to Sysdig, is far faster than what a human would achieve. Additionally, the AI-generated code included natural-language comments explaining its actions, a practice common in AI models but rare among human attackers. The attack ultimately encrypted 1,342 configuration entries and deleted the original tables. The ransom note demanded Bitcoin and listed a Proton Mail address, but the decryption key was only displayed once and never saved or sent. The Bitcoin address was identified as a well-known example from developer documentation, likely sourced from the model's training data.

Sysdig's report highlights that none of the individual techniques were new, as the attack exploited long-known vulnerabilities and weak default passwords. The novelty lies in the AI model chaining these techniques into a complete extortion operation autonomously. Shane Barney, chief information security officer at Keeper Security, noted that the attack should be viewed as a credential management failure rather than a novel threat. He emphasized that the critical factor was exposed secrets, unchanged default passwords, and lack of real-time monitoring. A Keeper study found that 72 percent of organizations cannot detect credential misuse in real time and often only notice unauthorized access hours after it starts. This gap becomes particularly dangerous when an AI agent can transition from a failed login to a working admin account in under a minute.

Source: thedecoder