How the Attack Worked
JADEPUFFER exploited CVE-2025-3248, a critical missing-authentication flaw rated 9.8 on the CVSS scale in Langflow, an open-source framework for building AI applications. The vulnerability allows unauthenticated remote code execution, and Langflow servers often hold cloud credentials and API keys in their environments. hackread.com sysdig.com
Once inside, the LLM agent swept the host for secrets — including keys for OpenAI, Anthropic, and major cloud providers — then dumped Langflow’s backing database, scanned internal services, and looted a MinIO object store using default credentials. It then pivoted to a separate production server running MySQL and Alibaba’s Nacos configuration service, exploiting a 2021 authentication bypass and forging JWT tokens with Nacos’s well-known default signing key. sysdig.com securityaffairs.com
The agent encrypted all 1,342 Nacos configuration items using MySQL’s AES_ENCRYPT function, dropped the original tables, and left a ransom note demanding Bitcoin payment. The encryption key was generated randomly, printed once to stdout, and never saved — making recovery impossible even if the ransom were paid. letsdatascience.com sysdig.com
Evidence of Autonomy
Sysdig identified four lines of evidence supporting its assessment that an LLM, not a human, drove the operation. The payloads were saturated with natural-language commentary explaining targeting decisions. The agent corrected its own errors at machine speed — fixing a failed login attempt in 31 seconds with a 15-line diagnostic and corrective script. It also adapted in real time when encountering unexpected responses, such as switching from JSON to XML parsing mid-operation. cybernews.com sysdig.com
“The skill floor for running ransomware has dropped to whatever it costs to run an agent,” Sysdig wrote in its report, “and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero”. sysdig.com
Implications for Defenders
Security researchers emphasized that none of JADEPUFFER’s individual techniques were novel — the danger lies in an AI model stringing them together into a coherent attack chain against neglected infrastructure. Sysdig urged organizations to patch Langflow, harden Nacos deployments, remove credentials from web-reachable processes, and apply egress controls to prevent compromised hosts from beaconing to attacker infrastructure. bleepingcomputer.com thehackernews.com cybernews.com sysdig.com