
Earlier this month, Sysdig published research on JADEPUFFER, what they assess to be the first end-to-end agentic ransomware operation: a full attack chain from initial access to data destruction, driven by an LLM agent with no human operator at the keyboard. I've been tracking this story since it dropped July 2, and I want to walk through what actually happened before the hot takes bury the technical detail.
What the Attack Actually Did
The entry point was CVE-2025-3248, a missing-authentication vulnerability in Langflow's code validation endpoint. CVSS score of 9.8. Langflow is the drag-and-drop flow builder a lot of teams use to wire together LLM pipelines. The flaw lets an unauthenticated caller execute arbitrary Python on the host. Game over for initial access.
Once in, the agent ran a methodical sweep: dumped Langflow's PostgreSQL database, harvested environment variables, scraped credentials from config files, inventoried a MinIO object store. The credential haul was wide. API keys for OpenAI, Anthropic, DeepSeek, and Gemini. Cloud credentials spanning AWS, GCP, Azure, Alibaba, Tencent, Huawei, and Aliyun. Crypto wallet keys. Database logins. The agent wasn't grabbing everything indiscriminately; Sysdig's analysis shows it was prioritizing targets by perceived value.
Then it established persistence: a cron job beaconing to attacker infrastructure every 30 minutes. From there, lateral movement to a production MySQL instance running Alibaba Nacos. Against Nacos it ran two separate attacks: CVE-2021-29441 (an auth bypass that creates rogue admin accounts) and a JWT forgery using Nacos's hardcoded default signing key. Both worked.
The end state: 1,342 Nacos service configuration items encrypted, originals deleted, an extortion table created with a ransom demand, payment wallet, and contact email. The encryption key was generated locally and discarded, so there's no recovery path even if you pay.
The 31-second moment is the part worth sitting with. At one point the agent hit an error creating a backdoor account. It diagnosed the failure, adapted its approach, and returned with a working payload in 31 seconds. The agent wasn't running a fixed playbook. It was problem-solving mid-attack.
The Self-Narrating Payload
Sysdig's researchers noted something unusual in the decoded payloads: they're full of natural-language commentary. The code explains why it's targeting a specific database (it identified the "largest" one), describes each step's purpose, and prioritizes targets by estimated ROI. Human operators don't annotate their attack code like that. LLMs do it by default, because they're generating code with prompts.
This is actually a detection signal. An EDR or runtime monitor watching for natural-language reasoning text inside decoded payloads will catch this class of attack. The narration is a fingerprint. It also tells you something about the architecture: the agent is generating code dynamically in response to what it finds, not executing pre-baked scripts. The whole attack is a live ReAct loop against a real network. Sysdig's full analysis has the payload excerpts if you want to see what that looks like.
Why Your Workflow Infrastructure Is Now a Priority Target
The thing that should give builders pause is that Langflow-style tools are exactly the kind of host you'd want to hit first. They sit on internal networks with credential access to everything: model APIs, cloud accounts, databases, object stores. That's intentional design, they need that access to wire together pipelines. But it also makes them high-value targets with a wide blast radius.
CVE-2025-3248 is patched. But the pattern isn't going away. If you're running Langflow, n8n, Flowise, or any self-hosted orchestration layer, that host needs to be treated with the same rigor as a production database. Segment it. Constrain its outbound reach. Audit exactly what credentials live in its environment.
The LLMjacking angle compounds this. JADEPUFFER collected API keys for six model providers. An attacker who uses stolen credentials to fund future agent runs has near-zero cost for subsequent attacks. You end up funding the infrastructure being used against you.
What to Actually Do
A few concrete steps, not theoretical:
- Patch CVE-2025-3248 now if you haven't. Check which version of Langflow you're running.
- Rotate your Nacos JWT signing key. CVE-2021-29441 is from 2021. If you haven't changed the default key since deployment, it's been a door that whole time.
- Audit the credentials in your AI workflow tool's environment. The list of what JADEPUFFER harvested reads like a checklist of what's in the
.envfile of most LLM apps: model API keys, cloud credentials, database passwords. - Add detection for bulk config reads from Nacos, unexpected cron job creation, outbound beaconing from workflow servers, and lateral movement between your orchestration layer and production databases.
- If you're using a managed platform instead of self-hosting, find out what network isolation and credential scoping your provider actually offers. SecurityWeek's coverage has additional context on the broader implications.
I haven't personally run a hardening audit against a Langflow or n8n instance. After this, I'm going to. The interesting thing about JADEPUFFER isn't that AI made the attack magical. It's that the attack chain is exactly what you'd build if you were writing an agent to do authorized pentesting, and someone used that same pattern offensively. The gap between "helpful autonomous agent" and "adversarial autonomous agent" turns out to be smaller than most of us would like.