What the agent actually did
On 1 July 2026 the Sysdig Threat Research Team published its analysis of an intrusion it named JADEPUFFER and assesses to be the first fully agent-driven ransomware operation seen in the wild. The entry point was CVE-2025-3248, a remote-code-execution flaw in Langflow, an open-source tool for building AI workflows. From that foothold the agent harvested cloud and large-language-model provider credentials, then reused a separate authentication bypass from 2021 to reach a production MySQL and Alibaba Nacos server standing on different infrastructure.
What makes the case unusual is not the flaws, both of which had fixes available, but who chained them. Researchers describe a large language model running the full life cycle on its own: reconnaissance, credential theft, lateral movement, privilege escalation and finally encryption of 1,342 configuration items. In one logged moment the agent hit a failed login, changed its approach without being told to, and was inside within 31 seconds.
Why this breaks the response plan, not just the server
Most incident-response plans quietly assume a human tempo on the attacker's side, time to move between hosts, time to fumble a password, time an analyst can use to notice and cut a session. An agent that recovers from a failed login in half a minute erases that margin. The window between the first foothold and a locked database is now shorter than the interval between an alert firing and a tired analyst opening it, which turns detect-and-respond from a plan into a race most rosters were never staffed to win.
The second twist is worse for the payment calculus. JADEPUFFER left a ransom note tied to an encryption key it never stored, so even a company that chose to pay had nothing to buy back. That makes this variant destruction wearing the costume of extortion. For a European operator the practical read is that the only control sitting outside the blast radius is a backup the attacker cannot reach and a restore you have run this quarter, because negotiation is not on the table when the key is already gone.
What an operator should change this week
Start with the two doors JADEPUFFER walked through, because they are ordinary. Inventory anything running Langflow or similar AI-workflow tooling and confirm CVE-2025-3248 is patched, then hunt for decade-old authentication bypasses still live on internal servers, the kind that survive because nobody owns the box anymore. Rotate the cloud and model-provider credentials that such tools hold, since those keys are exactly what the agent went looking for first.
Then rehearse for the compressed timeline. Under NIS2 the early-warning clock can run within 24 hours of awareness and DORA sets its own major-incident deadlines, so an attack that finishes in minutes leaves the reporting duty, not the fight, as the part a board actually controls. The durable move is an immutable or offline backup a compromised domain administrator cannot delete, tested by a real restore, plus a decision already made about who files the regulatory notice while the technical team is still counting the damage.
Read next: A 29-Year-Old Squid Bug Leaks Cleartext Logins | This Malware Deletes Your Backups First



