Autonomous AI Agent Ransomware: JadePuffer’s Authorization Lesson
Autonomous AI agent ransomware arrived with JadePuffer. The real lesson is machine-identity authorization over exploit novelty, and the controls to build.
Autonomous AI agent ransomware stopped being a research demo. Sysdig disclosed JadePuffer, an operation in which a language model executed a full ransomware kill chain from recon to encryption, with no human at the keyboard. It used no zero-days. It used a year-old bug, default credentials, and machine identities you already own. Here’s what happened, and the one control that would have contained it.
How The Agent Ran The Whole Chain
Langflow is a widely used open-source framework for building AI applications, and plenty of teams run it safely. This victim left a version with a year-old critical bug facing the open internet. That exposure is what the agent walked through. Once it had code execution on the host, it enumerated the machine and swept the environment for secrets in parallel: model provider keys, cloud credentials, crypto wallets, database credentials, and configuration files. It dumped Langflow’s own backing database, pulled the stored keys and user records, then deleted its staging files to clean up after itself.
Then it found the object store. Using the default credentials minioadmin:minioadmin, it listed every bucket, prioritized the ones named for infrastructure state and internal config, and fetched a credentials.json file by name. That file held an access key and secret pair, which the agent printed to its own terminal and saved to disk. It also installed a cron job on the host that beaconed to attacker infrastructure every 30 minutes, so it could get back in.
The agent reached the production database as root using credentials whose origin Sysdig could not determine. The agent didn’t harvest them from the Langflow host. Standing machine credentials sit in more places than any single inventory shows. From there, it injected a backdoor administrator into the Nacos configuration database, ran a methodical survey for a container escape using the database’s file primitives, reading the Docker socket and the container cgroup files to test for a path out of the container entirely, and moved to the finish. It encrypted all 1,342 Nacos service configuration items with MySQL’s built-in encryption function, dropped the original tables, and wrote a ransom note demanding Bitcoin.
The agent generated the encryption key at random, printed it to the console once, and never saved or transmitted it. The victim can’t recover those configurations even if they pay. Sysdig counted more than 600 distinct payloads across the operation, and the data theft the ransom note bragged about was the agent’s own code comment, not something Sysdig independently confirmed. Strip the AI language away, and you have automated destruction wearing an extortion note.
This is what Sysdig assesses to be the first documented end-to-end agentic ransomware operation. Last August, researchers flagged a tool called PromptLock as the first AI-driven ransomware, but it turned out to be a proof of concept built at NYU that was never fired at a victim. JadePuffer is the one that ran in a live environment against a real target.
Autonomous AI Agent Ransomware Needed Zero Zero-Days
Every weapon in that chain was old and public. CVE-2025-3248, the Langflow flaw the agent used for entry, is an unauthenticated remote code execution bug rated 9.8 on the critical scale. Langflow shipped a fix in version 1.3.0 in April 2025. CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 5, 2025, with a federal remediation deadline of May 26. The victim was still running the vulnerable version more than a year later.
The downstream target was no fresher. The Nacos authentication bypass that the agent tried, CVE-2021-29441, dates to 2021, and Nacos patched it in version 1.4.1. The default signing key it tried to use to forge tokens has been publicly known since 2020. The object store answered to minioadmin:minioadmin, the vendor default that ships in the box.
That is the point... An agent doesn’t need novel exploits when the historical vulnerability catalog is sitting open. It sprays known weaknesses across exposed infrastructure at machine speed, and the long tail of unpatched systems that defenders have tolerated for years becomes the whole attack surface. Sysdig made the same observation in its own write-up. Attackers now automate old vulnerabilities, and automation makes spraying the entire back catalog nearly free. Every one of those weaknesses had a fix or a hardening step available for months or years, and the victim skipped all of them, which is the tail that an agent feeds on.
The blast radius here didn’t come from anything the security industry hadn’t seen before. It came from an agent that chained a decade of known problems without getting tired, without an expert operator, and without a brittle script that breaks the moment the environment differs from the plan. That capability is what separates an agentic attacker from a scripted one, and it is why the patch-faster reflex misses the shape of the threat.
Machine Identity Was The Attack Surface
Look at what the agent went after first. It went after credentials like model provider keys for OpenAI, Anthropic, DeepSeek, and Gemini; cloud credentials with explicit coverage of AWS, Azure, Google, and the major Chinese providers; crypto wallets; and every config file it could reach. The agent never touched the model itself. It didn’t need to. The API keys, the default object-store login, and the unrotated root database account were the keys to the kingdom, and the agent used them better than the defender governed them.
This is the machine identity problem, and it predates AI by years. I’ve watched it play out in operational technology environments, where a service account with standing privileges and no rotation sits quietly for years until someone, or something, finds it and rides it into the control network. The structural failure JadePuffer exploited is the same one. Credentials carry more authority than the task needs, live longer than they should, and sit where a compromised process can read them. Change the label on the attacker from a human contractor to an autonomous agent, and the underlying weakness doesn’t move.
Sysdig’s read is that if an agent like this runs on stolen model credentials, a pattern the industry tracks as LLMjacking, the cost to the attacker drops close to zero. The same non-human-identity failure shows up on both ends of this attack. The victim’s machine credentials were the target, and stolen machine credentials are what make the attacker’s economics work. In most enterprises, machine identities pile up faster than anyone can govern them, and they rarely get the rotation, scoping, and monitoring that employee accounts get. Nobody owns them the way a manager owns an employee’s access. A developer spins up a service account to ship a feature, the key never expires, and it outlives the project, the developer, and the memory of why it existed. JadePuffer is what that gap looks like when an agent finds it.
Least Privilege Failed. Least Agency Was The Missing Control.
Let me be honest about what went wrong, because the tempting version of this story is wrong. The victim had real least-privilege failures of the ordinary kind. They had a root database account exposed to the internet, default credentials on the object store, and provider secrets sitting on a web-reachable AI host. Any competent audit would have flagged it all.
Least privilege was never going to be enough here, and that is the harder lesson. An agent operating with legitimate standing credentials does exactly what those credentials permit. It authenticates as an authorized principal. Every action it takes is technically allowed. Privilege scoping specifies what a credential may access. It says nothing about whether the holder should chain reconnaissance into credential theft, into lateral movement, into mass encryption as one continuous operation.
That gap is what runtime authorization scope closes, and JadePuffer shows why you need it. Watch the agent recover from failure. Its first attempt to create a backdoor admin in Nacos failed a login check. Thirty-one seconds later, with no human reading the error, it diagnosed the cause, deleted the broken account, rebuilt it with a corrected password hash, and logged in. Later, when a database drop failed on a foreign key constraint, the next payload disabled the constraint check, ran the drop, and re-enabled it. Each fix targeted the exact failure it had hit.
A scripted attack breaks when the environment differs from the script. An agent adapts to the difference and keeps going. That is why a static permission model, tuned for tools that fail predictably, leaves you exposed to an attacker who reasons through obstacles. The control you need is a runtime bound to task intent, one that treats “encrypt every configuration record and drop the tables” as an action requiring fresh authorization, regardless of what the standing credentials allow.
The part that should keep you up at night is simpler. Every agentic system you deploy inside your own walls inherits the same structure. It runs on standing machine credentials. It acts as an authorized principal. Give it broad privilege and no runtime bound, and a compromise or a bad instruction gets the same blast radius JadePuffer got, and it gets there just as fast.
What CISOs Do Before The Next One
The fixes that would have stopped this aren’t exotic. Sysdig’s own list starts with the obvious: patch the Langflow flaw, and keep code-execution endpoints off the public internet. From there, it gets to the machine-identity core. Keep provider API keys and cloud credentials off your AI-orchestration hosts, and scope them to a secrets manager away from web-reachable processes. Rotate the Nacos default signing key, and never let a configuration service reach its database as root. Put egress controls on application hosts so a compromised box can’t beacon out or reach an internal database it has no business touching.
Those close the holes this specific agent walked through. The durable move is to turn least agency from a principle you nod at into a control you build. Concretely, that means three things. Issue task-scoped, short-lived credentials instead of standing keys, so a compromised agent holds authority that expires in minutes rather than a key that works forever. Gate destructive operations, anything that drops tables, deletes data, or changes access, behind a re-authorization step that the agent can’t satisfy on its own. Run deny-by-default egress at the agent host, so reaching a new destination becomes a decision rather than a default.
Detection changed too, in your favor for once. An LLM narrates its own intent in the payloads it writes. JadePuffer’s code carried natural-language comments explaining which database was of highest value and why. That self-narration is a signal you didn’t have against a human operator or a compiled tool, so feed your database and host telemetry to detections that look for it. One honest observer made a point worth taking: a quarterly assessment leaves dangerous gaps when your internet-facing services change every day and an automated attacker moves from discovery to impact in minutes. Continuous visibility beats the periodic snapshot. Sysdig calls JadePuffer an agentic threat actor, an operator whose capability comes from an agent rather than a human toolkit. That category is going to grow, because the skill floor for running an operation like this dropped to the cost of running an agent, and criminal crews adopt cheap, reusable tooling fast.
Key Takeaway: Autonomous AI agent ransomware wins on standing machine credentials and unbounded runtime agency, so scope your non-human identities and bound what your agents can do before someone else does it for you.
What To Do Next
Start with an inventory, because you can’t bound what you can’t see. Map every place where standing machine credentials live inside your AI tooling: the provider keys, the service accounts, the object-store logins, and the database credentials your agents and pipelines hold. Then pick one runtime authorization boundary and build it this quarter, the one an agent can’t cross without fresh authorization. That is the Create and Adapt work in the CARE model, and it is where least agency stops being a slogan and becomes a control.
For the deeper frames behind this, I’ve written the cornerstone piece on least agency versus least privilege, the case for treating non-human identity as the agentic control plane you probably skipped, and the difference between a model as a component and a model as an actor, all at rockcybermusings.com. The consulting side lives at rockcyber.com if you want help doing the work.
👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.
👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.
👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com
👉 As a bonus, check our AMA on the 2026 OWASP GenAI Security Project State of Agentic AI Security and Governance report with me and the other co-leads (it was live, so start at time marker 09:45)
The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.







