On 1 July 2026, security researchers published the first ransomware operation run end-to-end by an AI agent, naming it JADEPUFFER. An autonomous large language model exploited an internet-facing Langflow server (CVE-2025-3248), pivoted to a production Alibaba Nacos database, and encrypted 1,342 configuration items before destroying the originals and leaving a ransom note.
CVE-2025-3248 is an unauthenticated RCE on CISA’s KEV list and is exploited by multiple unrelated actors. If it was exposed and unpatched → high risk.CVE-2021-29441 bypasses auth.minioadmin:minioadmin during reconnaissance. Default creds turn one foothold into a full sweep.Ransomware has always had a human at the keyboard. JADEPUFFER breaks that pattern: an LLM agent handled the entire operation — access, reconnaissance, lateral movement, encryption and the ransom note — with a human only provisioning the infrastructure. The target was a production database, and the outcome was destruction, not theft. observed no data exfiltration, and the encryption key was never saved — so the data was unrecoverable even if the ransom were paid.
| Risk Area | Detail |
|---|---|
| Destruction | In-place encryption plus dropped tables. With no saved key, recovery depends entirely on your own backups. |
| Credential theft | Cloud, DB and LLM-provider API keys were swept from the Langflow host — rotate anything reachable from an exposed app server. |
| Supply chain | A breached vendor running Langflow/Nacos can expose your data — confirm partners have patched. |
| Copycats | Both CVEs are public and widely exploited; expect opportunistic reuse beyond this actor. |
✅ Both CVEs are patched — upgrade Langflow to ≥ 1.3.0 and Nacos to ≥ 1.4.1 urgently.
⚠️ Single-source incident — credible, but not independently corroborated; no raw logs or forensic images exist anywhere.
🔴 CVEs actively exploited in the wild by multiple actors — exposure is a live risk independent of JADEPUFFER.
Your security team should act on the Technical Annex below. All IOCs, detection and remediation guidance are in Part 2.
| CVE | Product | Detail |
|---|---|---|
CVE-2025-3248 |
Langflow < 1.3.0 | Missing-authentication RCE in the code-validation endpoint; arbitrary Python. CVSS 9.8. On CISA KEV (2025-05-05). |
CVE-2021-29441 |
Alibaba Nacos < 1.4.1 | Authentication bypass via User-Agent spoof (CWE-290). Default JWT signing key public since 2020. |
The agent reached an internet-facing Langflow instance and executed Base64-encoded Python via CVE-2025-3248, then swept the host for secrets. It pivoted to a separate production server (MySQL + Nacos) using root MySQL credentials of unknown origin, attacked Nacos through several vectors at once, and succeeded via a direct SQL insertion of a backdoor xadmin administrator. It then encrypted 1,342 Nacos config items with AES_ENCRYPT(), dropped the originals, and installed a cron beacon.
The operation was fileless / SQL-driven — there are no file hashes or malicious domains. All indicators are defanged.
| Indicator | Value / Notes |
|---|---|
| C2 beacon | 45.131.66[.]106:4444 — every 30 min over HTTP. AS213250 itp-solutions, DE. OTX reputation 0. |
| C2 URL | hxxp://45.131.66[.]106:4444/beacon |
| Staging / exfil (claimed) | 64.20.53[.]230 — no transfer observed. AS19318 InterServer, US. |
| Artifact | Value / Notes |
|---|---|
| Ransom table | README_RANSOM created in the Nacos backing database. |
| Backdoor admin | xadmin inserted directly via SQL. |
| BTC wallet | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy — matches the canonical Bitcoin-docs example address (likely LLM artifact). |
| Contact | e78393397[@]proton[.]me |
| Default creds abused | minioadmin:minioadmin (MinIO) |
Alert on requests to the Langflow code-validation endpoint from external IPs, and on Nacos requests carrying User-Agent: Nacos-Server that return HTTP 200 where an identical request without it returns 403.
Hunt for scheduled tasks (cron) making fixed-interval outbound calls, anomalous child processes (interpreters, shells) off web/AI services, and destructive DB operations (mass encryption, table drops). CVE-level rules exist: Nuclei templates for both CVEs, Zscaler sig 932200, Trend Micro IPS 46063/46064.
Because JADEPUFFER made headlines as the “first AI-run ransomware,” it is worth separating what holds up from what does not. The CVEs and the attacker infrastructure are independently verifiable; the incident narrative and autonomy claim are not.
| Claim | Standing | Basis |
|---|---|---|
| Langflow CVE-2025-3248 is real & exploited | VERIFIED | CISA KEV; Trend Micro; Recorded Future; Zscaler |
| Nacos CVE-2021-29441 exists & exploitable | VERIFIED | NVD; GitHub Security Lab |
| Attacker IPs are live infrastructure | VERIFIED | AlienVault OTX geo/ASN |
| The incident occurred as described | Single reported incident only | Single source; no raw logs; no public dump |
| Fully autonomous, “first-ever” | VENDOR CLAIM | researchers hedges “what we assess”; TechCrunch: “still needed a human” |
| Data was exfiltrated | REFUTED | Researchers saw no transfer; WhiteIntel shows no leak-site or chatter |
No forensic imagery exists — public report contains no ransom-note screenshot, terminal capture, or log image; the entire case is presented as text. Treat “first fully autonomous ransomware” as a vendor assessment, not an established milestone.