← Back to Blog

JadePuffer Just Ran the World's First Autonomous Ransomware Attack. Your Agent Framework Was the Door.

Last week, an AI agent autonomously chained reconnaissance, exploitation, lateral movement, and extortion against a live target — no human in the loop. CISA added an AI agent platform to its Known Exploited Vulnerabilities list for the first time in history. The attack vector wasn't a rogue model. It was the framework running your agents.

An AI agent just ran a ransomware attack by itself. From first exploit to encrypted database to Bitcoin ransom note — no human operator involved.

Sysdig's Threat Research Team documented it last week and named it JadePuffer. It's the first confirmed case of what the researchers are calling an "agentic threat actor" — an AI agent used not as a productivity tool but as an end-to-end attack engine. Dark Reading called it the first complete LLM-driven ransomware attack. CISA added an AI agent platform to its Known Exploited Vulnerabilities catalog for the first time in the KEV's history.

There's a lot to say about what JadePuffer means for the security industry. But the most important thing to say about it isn't a security point. It's a trust infrastructure point.

The entry point wasn't a model going rogue. It was Langflow.

What Happened

JadePuffer exploited CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow — the popular open-source framework used by tens of thousands of developers for building and running LLM applications. The vulnerability had been patched and flagged by CISA months earlier. Most exposed instances weren't patched.

Once inside a Langflow instance, the AI agent didn't follow a script. It adapted in real time. When a login attempt failed, it pivoted and found a working approach in 31 seconds. It dumped Langflow's PostgreSQL database, harvested credentials from environment variables and sensitive files, enumerated connected services, pivoted to a production MySQL server, exploited a separate authentication bypass vulnerability in Alibaba Nacos to create rogue admin accounts, and ultimately encrypted 1,342 configuration records before deleting the originals.

Then it left a Bitcoin ransom demand.

The whole chain — reconnaissance, exploitation, credential discovery, lateral movement, privilege escalation, extortion — was executed autonomously by an AI agent responding to what it found in the environment. Sysdig says it lowered the skill floor for conducting damaging cyberattacks to near zero. CSO Online put it plainly: the agent hacked a network, adapted on the fly, and demanded a ransom.

The Layer Nobody Was Watching

Here's the thing most post-mortems will miss.

JadePuffer doesn't change the threat model for AI agents. It reveals a threat model that already existed and wasn't being addressed. The question "can we trust this agent?" has dominated enterprise AI discourse for two years. JadePuffer adds a prior question: "can we trust the platform running this agent?"

Those are different questions. Behavioral verification — evaluating what an agent does given specific inputs — tells you whether the agent works correctly in your environment. It says nothing about whether the environment running the agent is itself trustworthy. If the framework hosting your agents has an unauthenticated RCE sitting on a public port, your agent's performance benchmarks don't matter. Someone else is now running your flows.

Two of the most widely used AI agent platforms were compromised within the same week in late June — Langflow and Dify, which disclosed four separate vulnerabilities exposing private conversations and internal APIs. These are infrastructure problems. They sit below the layer most agent governance tooling operates at.

The industry's current response to agentic risk is concentrated on behavioral policy files, audit dashboards, and compliance frameworks. That layer assumes the infrastructure executing the policies is controlled by you. JadePuffer demonstrates that assumption can be false — and when it is, the governance framework has nothing to govern.

The Control Plane Problem

Forbes covered the emerging agent gateway category last week: vendors building network-layer enforcement for AI agent traffic, sitting between agents and the services they consume. Authentication, RBAC, prompt injection detection, PII sanitization, mutual TLS — everything the framework layer doesn't provide by default.

This is the right architectural response. But it's revealing how much of the current enterprise agent stack was built without this layer in mind.

Most organizations evaluating agent platforms are asking: does this agent complete the task? What's its accuracy? How does it handle edge cases? Those are the right questions at the application layer. JadePuffer adds questions that should have been asked at procurement: What's the patch cadence for the framework? Is the orchestration layer exposed? What credentials does the agent runtime have access to? What happens if the platform itself is compromised?

These aren't exotic security questions. They're the same questions enterprise security teams ask about any software running in production. The answer for most AI agent frameworks has been, essentially, "we hadn't really thought about it yet."

What This Means for Agent Trust

The JadePuffer incident doesn't invalidate behavioral verification — it makes it necessary but no longer sufficient.

You need to know your agent performs correctly on its actual task distribution. You also need to know that the platform running that agent is hardened, patched, and not exposing privileged access to anyone who finds the right CVE. The first is an evaluation problem. The second is an infrastructure security problem. They're different disciplines, different toolchains, different teams.

The risk of conflating them: organizations that have done the behavioral evaluation work feel confident in their agents, while the infrastructure layer sits exposed. The risk of ignoring both: you're operating in a JadePuffer-shaped blind spot with high-privilege agents connected to production systems.

CISA's KEV addition was the first time an AI agent platform appeared on that list. It won't be the last. The agent infrastructure layer — frameworks, orchestrators, runtime environments — is now a confirmed attack surface, and it's dramatically more exposed than the application layer on top of it.

The era of agentic threat actors is here. Sysdig says the skill floor for sophisticated cyberattacks just dropped to whoever can prompt an agent. The floor for defending against them starts with knowing exactly what's running, where, with what access, on what infrastructure — and whether any of it was patched after April 2025.


Choose your path