Sysdig documents the first ransomware attack run end to end by an AI agent
Breaking
Sysdig documents the first ransomware attack run end to end by an AI agent<br>//<br>Under cover of the World Cup, ICE rounded up 10,000 people in five days<br>//<br>Serbia's Vučić to resign within weeks and call snap elections<br>//<br>Lunin's "Rebellion": Russian war veteran detained after viral video warning Putin of mutiny<br>//<br>Judge orders DOJ unredact the Epstein co-conspirator, torture-video and Trump-accuser files by 2 July<br>//<br>Ukraine launches 40-day operation to push Russia to end the war<br>//<br>ICC judges sue convicted criminal Donald Trump after US attempt to intimidate the court<br>//<br>Russia rations fuel from occupied Crimea to Siberia as Ukrainian drones decimate refineries nationwide<br>//<br>Sysdig documents the first ransomware attack run end to end by an AI agent<br>//<br>Under cover of the World Cup, ICE rounded up 10,000 people in five days<br>//<br>Serbia's Vučić to resign within weeks and call snap elections<br>//<br>Lunin's "Rebellion": Russian war veteran detained after viral video warning Putin of mutiny<br>//<br>Judge orders DOJ unredact the Epstein co-conspirator, torture-video and Trump-accuser files by 2 July<br>//<br>Ukraine launches 40-day operation to push Russia to end the war<br>//<br>ICC judges sue convicted criminal Donald Trump after US attempt to intimidate the court<br>//<br>Russia rations fuel from occupied Crimea to Siberia as Ukrainian drones decimate refineries nationwide<br>//
News<br>Investigations<br>Justice<br>Thought<br>Guides<br>Impact
Sign in<br>Support us
Security firm Sysdig said on 1 July 2026 it had documented the first known ransomware attack carried out end to end by an autonomous AI agent, which broke into a server, harvested credentials, moved laterally and destroyed a database without a human issuing commands.<br>The agent, which Sysdig named JadePuffer, took a failed login to a working fix in 31 seconds and encrypted 1,342 configuration items with a key it then threw away, leaving no recovery path even if a victim pays.<br>Sysdig's threat research team said the intrusion shows that the skill once needed to run a full extortion campaign is no longer needed, because a language model can now chain together known techniques on its own. None of those techniques were new. What was new is that no operator was at the keyboard.<br>How the intrusion ran<br>JadePuffer entered through an internet-facing deployment of Langflow, an open-source tool for building AI applications, by exploiting CVE-2025-3248, an unauthenticated flaw that lets an attacker run arbitrary code on the host. The flaw carries a severity score of 9.8 out of 10, was patched in March 2025 and has sat on the U.S. Cybersecurity and Infrastructure Security Agency's known-exploited list since 5 May 2025, more than a year before this attack.<br>Once it had code execution, the agent swept the machine for secrets, pulling for API keys tied to several AI providers and for cloud credentials covering Alibaba, Tencent, Huawei, Amazon, Google and Microsoft services. It dumped the database behind Langflow to harvest more credentials, probed the internal network, and installed a scheduled task that called back to the attacker's infrastructure every 30 minutes on port 4444.<br>The Langflow server was only a staging post. The agent used credentials it found there to reach a separate production server running a MySQL database and Alibaba's Nacos configuration service, both exposed to the internet. Sysdig said it could not determine where the root credential for that server came from.<br>Old holes, automated<br>Nacos gave the agent an easy route in through weaknesses years old. The service still used a default signing key that has been public since 2020, which makes forging an administrator token straightforward, and it was open to a bypass flaw first disclosed in 2021.<br>Inside, the agent encrypted all 1,342 Nacos configuration items using a built-in database function, dropped the original tables, and created a table called README_RANSOM holding the demand, a Bitcoin address and a Proton Mail contact. The encryption key was assembled from random values, printed to the screen once and never saved or sent anywhere. A victim who pays recovers nothing, because the key no longer exists.<br>Why Sysdig blames a model, not a person<br>Sysdig rested its assessment on four things it said human operators do not typically produce. The attack code carried running natural-language commentary explaining each step and its priority. The agent diagnosed and corrected its own failures in seconds rather than firing blind retries. It acted on free-text context planted in the environment. And its ransom setup did not match any known campaign, down to a Bitcoin address that is the stock example wallet from public documentation, which the model may have copied from its training data.<br>Michael Clark, Sysdig's director of threat research, wrote that the agent's payloads were self-narrating in a way human operators rarely bother with. Johan Edholm, co-founder of security...