Loading...
Executive Summary

On 1 July 2026, security researchers published the first ransomware operation run end-to-end by an AI agent, naming it JADEPUFFER. An autonomous large language model exploited an internet-facing Langflow server (CVE-2025-3248), pivoted to a production Alibaba Nacos database, and encrypted 1,342 configuration items before destroying the originals and leaving a ransom note.

LangflowCVE-2025-3248CVSS 9.8CVE-2021-29441Agentic AIT1190 – Exploit Public-Facing AppT1486 – Data Encrypted for Impact
INCIDENT — BY THE NUMBERS
1,342
Configs encrypted & destroyed
31s
Failed login → working fix
600+
AI-generated payloads
$0
Recoverable — key never saved
0
Bytes exfiltrated
1
Primary source

Briefing

Are you exposed?

EXPOSURE CHECKLIST
1
Do you run Langflow (< 1.3.0) reachable from the internet?
CVE-2025-3248 is an unauthenticated RCE on CISA’s KEV list and is exploited by multiple unrelated actors. If it was exposed and unpatched → high risk.
2
Is Alibaba Nacos exposed, on a default JWT key, or below 1.4.1?
Nacos should never face the internet. The default signing key has been public since 2020, and CVE-2021-29441 bypasses auth.
!
Any default credentials on internal data stores?
The agent used MinIO’s default minioadmin:minioadmin during reconnaissance. Default creds turn one foothold into a full sweep.

What happened

Ransomware has always had a human at the keyboard. JADEPUFFER breaks that pattern: an LLM agent handled the entire operation — access, reconnaissance, lateral movement, encryption and the ransom note — with a human only provisioning the infrastructure. The target was a production database, and the outcome was destruction, not theft. observed no data exfiltration, and the encryption key was never saved — so the data was unrecoverable even if the ransom were paid.

Risk

Risk AreaDetail
Destruction In-place encryption plus dropped tables. With no saved key, recovery depends entirely on your own backups.
Credential theft Cloud, DB and LLM-provider API keys were swept from the Langflow host — rotate anything reachable from an exposed app server.
Supply chain A breached vendor running Langflow/Nacos can expose your data — confirm partners have patched.
Copycats Both CVEs are public and widely exploited; expect opportunistic reuse beyond this actor.

Disclosure timeline

JADEPUFFER — Disclosure Timeline (2026) 2025-05-05 CVE-2025-3248 added to CISA KEV Late Jun Intrusion LLM agent compromise Jul 1 researchers discloses JADEPUFFER report Jul 2 Global coverage Register, THN, CyberScoop Jul 6 TechCrunch ‘still needed a human’ Ongoing Amplification no independent telemetry Attack Disclosure / response Context / ongoing

What you should do

BUSINESS / MANAGEMENT ACTIONS
1
Inventory Langflow, Nacos and MinIO
Find every instance, internal or exposed. Confirm versions and patch status.
2
Assume-breach any pre-patch exposed instance
Patching alone is not enough — engage IR and hunt the IOCs in the annex below.
3
Verify backups for critical config stores
JADEPUFFER’s impact is destructive and unrecoverable — tested restores are your safety net.
!
Rotate exposed secrets
Assume any API key or credential reachable from an internet-facing app server is compromised.

Current status

Both CVEs are patched — upgrade Langflow to ≥ 1.3.0 and Nacos to ≥ 1.4.1 urgently.

⚠️ Single-source incident — credible, but not independently corroborated; no raw logs or forensic images exist anywhere.

🔴 CVEs actively exploited in the wild by multiple actors — exposure is a live risk independent of JADEPUFFER.

Your security team should act on the Technical Annex below. All IOCs, detection and remediation guidance are in Part 2.


Technical Annex (for security / SOC teams)

Vulnerabilities

CVEProductDetail
CVE-2025-3248 Langflow < 1.3.0 Missing-authentication RCE in the code-validation endpoint; arbitrary Python. CVSS 9.8. On CISA KEV (2025-05-05).
CVE-2021-29441 Alibaba Nacos < 1.4.1 Authentication bypass via User-Agent spoof (CWE-290). Default JWT signing key public since 2020.

How it works (brief)

The agent reached an internet-facing Langflow instance and executed Base64-encoded Python via CVE-2025-3248, then swept the host for secrets. It pivoted to a separate production server (MySQL + Nacos) using root MySQL credentials of unknown origin, attacked Nacos through several vectors at once, and succeeded via a direct SQL insertion of a backdoor xadmin administrator. It then encrypted 1,342 Nacos config items with AES_ENCRYPT(), dropped the originals, and installed a cron beacon.

Attack chain

Attack Chain — JADEPUFFER (MITRE ATT&CK) 01 T1190 Initial Access POST /api/v1/validate/code unauth RCE → arbitrary Python 02 T1552 Credential Access swept cloud/DB creds, API keys dumped Postgres · probed MinIO 03 T1078 Lateral Movement pivot to MySQL + Nacos server root MySQL creds — origin unknown 04 T1136 Persistence direct SQL insert of admin backdoor ‘xadmin’ · CVE-2021-29441 05 T1486 Impact AES_ENCRYPT 1,342 configs dropped original tables 06 T1053 C2 / Persistence cron beacon every 30 min 45.131.66[.]106:4444 07 T1657 Extortion README_RANSOM demand key never saved — unrecoverable

Indicators of Compromise

The operation was fileless / SQL-driven — there are no file hashes or malicious domains. All indicators are defanged.

Network IOCs

IndicatorValue / Notes
C2 beacon 45.131.66[.]106:4444 — every 30 min over HTTP. AS213250 itp-solutions, DE. OTX reputation 0.
C2 URL hxxp://45.131.66[.]106:4444/beacon
Staging / exfil (claimed) 64.20.53[.]230no transfer observed. AS19318 InterServer, US.

Host & ransom artifacts

ArtifactValue / Notes
Ransom table README_RANSOM created in the Nacos backing database.
Backdoor admin xadmin inserted directly via SQL.
BTC wallet 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLymatches the canonical Bitcoin-docs example address (likely LLM artifact).
Contact e78393397[@]proton[.]me
Default creds abused minioadmin:minioadmin (MinIO)

Detection & hunting

Hunt — Langflow & Nacos

Alert on requests to the Langflow code-validation endpoint from external IPs, and on Nacos requests carrying User-Agent: Nacos-Server that return HTTP 200 where an identical request without it returns 403.

Hunt for scheduled tasks (cron) making fixed-interval outbound calls, anomalous child processes (interpreters, shells) off web/AI services, and destructive DB operations (mass encryption, table drops). CVE-level rules exist: Nuclei templates for both CVEs, Zscaler sig 932200, Trend Micro IPS 46063/46064.

Remediation checklist

REMEDIATION — PRIORITY ORDER
1
Patch Langflow ≥ 1.3.0 and Nacos ≥ 1.4.1 on an emergency basis
Unauth RCE — treat as a fire drill, not the regular cycle.
2
Threat-hunt any pre-patch exposed instance
Assume compromise; hunt the IOCs above before declaring clean.
3
Get Nacos off the internet & rotate its JWT key
Place behind auth/VPN; replace the public default signing key.
4
Remove default credentials & rotate exposed secrets
MinIO defaults, DB/service accounts, and any API keys reachable from app servers.
5
Verify offline backups for config stores
The impact is destructive and the key was never saved — restores are the only recovery path.

Evidence & attribution

Because JADEPUFFER made headlines as the “first AI-run ransomware,” it is worth separating what holds up from what does not. The CVEs and the attacker infrastructure are independently verifiable; the incident narrative and autonomy claim are not.

ClaimStandingBasis
Langflow CVE-2025-3248 is real & exploited VERIFIED CISA KEV; Trend Micro; Recorded Future; Zscaler
Nacos CVE-2021-29441 exists & exploitable VERIFIED NVD; GitHub Security Lab
Attacker IPs are live infrastructure VERIFIED AlienVault OTX geo/ASN
The incident occurred as described Single reported incident only Single source; no raw logs; no public dump
Fully autonomous, “first-ever” VENDOR CLAIM researchers hedges “what we assess”; TechCrunch: “still needed a human”
Data was exfiltrated REFUTED Researchers saw no transfer; WhiteIntel shows no leak-site or chatter
Evidence caveat

No forensic imagery exists — public report contains no ransom-note screenshot, terminal capture, or log image; the entire case is presented as text. Treat “first fully autonomous ransomware” as a vendor assessment, not an established milestone.

References (authoritative)