AI Agent ransomware attack through Langflow instance by exploiting CVE-2025-3248

smurda1 pts0 comments

JADEPUFFER: Agentic ransomware for automated database extortion | Sysdig

SYSDIG INTRODUCES FIRST HEADLESS CLOUD SECURITY PLATFORM

Solutions

Company

Open Source

Resources

Log In

Get Demo

555 Benchmark<br>Detect and respond to cloud attacks faster than attackers can complete them

Log In

Get Demo

JADEPUFFER: Agentic ransomware for automated database extortion

Published by:

Michael Clark

Director of Threat Research

linkedin

Published:

July 1, 2026

Table of contents

falco feeds by sysdig

Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.

learn more

Ransomware has had a human at the keyboard, or at least a human writing its script, since it was first established as a category of threat. The Sysdig Threat Research Team (TRT) has captured what we assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM).<br>This operator, which we have dubbed JADEPUFFER, gained initial access to an internet-facing Langflow instance through CVE-2025-3248 and ran an adaptive and fully automated campaign, ultimately pivoting to the intended target and running a destructive database-extortion playbook against the victim's production database server. JADEPUFFER is considered an agentic threat actor (ATA), or an operator whose attack capability is delivered by an AI agent rather than a human-driven toolkit.<br>The most striking characteristic, however, was the LLM's behavior. JADEPUFFER's own payloads were self-narrating. They contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively. The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds.<br>The research below examines the Sysdig TRT’s observations of JADEPUFFER, along with its indicators of compromise and recommended defensive actions.<br>The vulnerability<br>Langflow is a popular open-source framework for building LLM-driven applications and agent workflows. CVE-2025-3248 is a missing-authentication flaw in its code validation endpoint that allows an unauthenticated attacker to execute arbitrary Python on the host. Langflow remains exposed on many internet-facing deployments and has several widely exploited vulnerabilities. Langflow is an attractive entry point because its servers are AI-adjacent, frequently hold provider API keys and cloud credentials in their environment, and are often stood up quickly without network controls.<br>What the Sysdig TRT observed<br>JADEPUFFER’s operation unfolded across two distinct targets: the internet-facing Langflow instance that provided initial access, and a separate production database server, which was JADEPUFFER’s true objective. The machine compromised during initial access was used in the compromise of the final target. All payloads were delivered as Base64-encoded Python through the Langflow RCE endpoint.<br>Phase 1: The Langflow instance (initial access host)<br>1. Reconnaissance and credential harvesting: Immediately after gaining execution, the LLM enumerated the host (id, uname -a, hostname, network interfaces, running processes) and swept the environment for secrets across many categories in parallel:<br>LLM provider API keys (OpenAI, Anthropic, DeepSeek, Gemini, and others)<br>Cloud credentials, with explicit coverage of Chinese providers (ALIBABA_, ALIYUN_, TENCENT_, HUAWEI_) but they also scanned for AWS, GCP, and Azure<br>Cryptocurrency wallets and seed phrases<br>Database credentials and configuration files<br>2. Local data looting: It dumped Langflow's own backing Postgres database, harvesting stored credentials, API keys, and user records, staged the output to local files, reviewed them, then deleted the staging files.<br>3. Internal lateral discovery: It scanned the internal address space and named services reachable from the Langflow host, probing databases, object storage, secret stores, and service-discovery endpoints with default credentials.<br>4. MinIO object-store enumeration and credential harvest: The LLM probed both minio.internal:9000 and 127.0.0.1:9000, the canonical MinIO addresses in containerised deployments. MinIO is a self-hosted, S3-compatible object store rarely seen used in attacks. It is widely used in on-premises and cloud-native stacks to store application data, backups, ML models, and infrastructure state. Finding a responsive API, the LLM proceeded through its full enumeration playbook using MinIO's default credentials (minioadmin:minioadmin):<br>Listed all buckets, including application data, backups, ML artifacts, and a terraform-state bucket.<br>Listed objects in each bucket, prioritising terraform-state and an internal config bucket.<br>Fetched .env and credentials.json from the internal bucket by name,...

langflow jadepuffer database credentials sysdig ransomware

Related Articles