JadePuffer ran end-to-end agentic ransomware, encrypting 1,342 Nacos configs and breaking recovery
Sysdig says an LLM-based intruder exploited Langflow and MySQL/Nacos, leaving victims unable to restore data even after paying.

Sysdig threat hunters report “JadePuffer,” an LLM-driven agent, executed an end-to-end ransomware and extortion operation against internet-facing infrastructure. The attack used CVE-2025-3248 in Langflow to gain code execution, then compromised a production MySQL server and Alibaba Nacos, encrypting 1,342 Nacos service configuration items while eliminating any recovery path.
A threat actor called “JadePuffer” did something ransomware crews have historically relied on humans for: it ran the whole operation. According to Sysdig, the agentic intruder driven by an LLM went from initial access to compromising a production database server and destroying data. Even more brutal for decision-makers, Sysdig says the victim cannot recover the encrypted data even if they pay the ransom, because the agent escalated from “row-level deletion” to dropping entire database schemas.
Sysdig’s research team says the LLM also encrypted 1,342 Nacos service configuration items. Those items were encrypted using MySQL’s built-in AES encryption function, and the agent created the usual extortion kit: a ransom note, a Bitcoin payment address, and a Proton Mail contact, alongside this statement: “YOUR DATA HAS BEEN ENCRYPTED. All NACOS configurations, REDACTED customer data, and REDACTED PII have been encrypted with AES-256.” Sysdig identifies the Bitcoin address as “3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy” and the Proton Mail contact as “e78393397[@]proton[.]me.”
So how did an LLM become the operator? Sysdig says JadePuffer gained initial access to an internet-facing Langflow instance by exploiting CVE-2025-3248, described as a missing authentication vulnerability in Langflow that allows remote, unauthenticated attackers to execute arbitrary Python on the host. Once it got a foothold, Sysdig reports it ran a fully automated attack, including scanning for and collecting secrets. That included LLM provider API keys, cloud credentials with explicit coverage of Chinese providers, including Alibaba, Aliyun, Tencent, and Huawei. It also scanned for AWS, Azure, and Google Cloud Platform credentials, cryptocurrency wallets, and database credentials.
Sysdig’s threat hunters also highlight how the LLM behaved as the “agent” part of the operation. Michael Clark, director of threat research at Sysdig, is quoted in the blog describing agentic ransomware and extortion. Clark says the most striking characteristic was the LLM’s behavior. He describes JadePuffer’s “self-narrating” payloads as containing natural language reasoning, target prioritization, and detailed annotations that human operators don’t often write but LLM-generated code produces reflexively. Clark also says the operation adapted in real time, retrying failed steps within refined parameters, and in one sequence it went from a failed login to a working fix in 31 seconds. For boards and security leaders, that matters because it suggests fewer “operator skills” required to run the attack well.
After compromising Langflow, the agent set up persistence. Sysdig reports JadePuffer installed a crontab entry on the Langflow server to maintain persistence and call back to the attacker’s infrastructure every 30 minutes. Its intended target was a separate internet-exposed production server running a MySQL database and an Alibaba Nacos configuration service. Nacos, as Sysdig frames it, is an open-source service-discovery and dynamic configuration platform developed by Alibaba and used in cloud provider microservices applications.
JadePuffer connected to the exposed MySQL port using root credentials, but Sysdig says it does not know how the attacker obtained them. This detail is important operationally: the attack did not depend on stealing those credentials from the victim’s environment, based on the researchers’ understanding. With root access, it attacked Nacos via multiple vectors. Those included an authorization bypass flaw identified as CVE-2021-29441 and forging a valid JSON web token (JWT) using Nacos’s default signing key. Sysdig also reports that using root database access, the LLM injected a backdoor administrator into the Nacos backing database.
The endgame was not subtle. Sysdig says JadePuffer encrypted all 1,342 Nacos service configuration items using MySQL’s built-in AES encryption function. It then created the extortion demand and contact information. But recovery failed for victims because the agent, according to the threat hunters, escalated “from row-level deletion to dropping entire database schemas, narrating its own targeting rationale,” without backing up any of the encrypted data. That flips the usual ransomware calculus. Paying does not buy operational continuity if the data is destroyed at the schema level.
For context, this is not an attack that requires unique wizardry. Sysdig explicitly says JadePuffer did not use “especially sophisticated or unique techniques.” The significance is that an LLM “strung them together into a complete ransomware operation against neglected internet-facing infrastructure,” as Clark puts it. In other words, the hard part is no longer everything. The “skill floor for running ransomware has dropped to whatever it costs to run an agent,” Clark says. He also adds that if the agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero. That second-order shift is where executives should pay attention: fewer specialized operators, more automated campaigns, and more rapid adaptation when steps fail.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Technology

Kent Beck warns AI won’t replace coders, bad people skills will
On a Pragmatic Engineer episode, software legend Kent Beck ties AI-era job risk to engineers' empathy and emotional regulation gaps.

Weird Al rejected “a nice pile of money” for an AI-linked business software ad
The comic turned down a commercial after learning it was connected to AI, refusing to be AI’s “poster boy.”

Vim Scoops turns Vim motions into an ice cream game to keep you off the mouse
A free browser progressive web app from Marcus Michaels teaches famously unintuitive Vim movement keys via delivery puzzles.

