Press play to start listening
The LLM agent abused a Langflow flaw, harvested credentials, reached a production database, and destroyed Nacos configuration data.
Like any other cybercrime, a ransomware attack also requires an actual human to plan, choose targets, test credentials, or fix mistakes when code breaks. However, according to cybersecurity researchers at Sysdig, they have now documented a case in which the human factor appears to have been replaced by a large language model (LLM) agent, with a full extortion operation carried out from initial access to database destruction.
Researchers at the Sysdig Threat Research Team named the operator JADEPUFFER and described it as an agentic threat actor, meaning the attack execution came from an AI agent, not a human-controlled toolkit. The company said the campaign began with an exposed Langflow instance and ended with a destructive database extortion attack on a separate production server.
Langflow is an open-source framework for building LLM applications and agent workflows. The entry point was CVE-2025-3248, a missing authentication flaw in Langflow’s code validation endpoint that lets a remote unauthenticated attacker execute arbitrary code on affected hosts, with NVD rating the flaw 9.8 critical under CVSS 3.1.
Once inside, the agent (JADEPUFFER) listed system details, searched for API keys and cloud credentials, dumped Langflow’s Postgres data, checked reachable internal services, and probed MinIO storage using default credentials. The payloads used in the attack were Base64-encoded Python sent through the Langflow remote code execution endpoint.
The campaign then left the Langflow host and went after its main target, a production system exposing MySQL and Alibaba Nacos. Nacos is used for service registry and dynamic configuration, and older versions have a known authentication bypass tracked as CVE-2021-29441 that can let an attacker skip checks by spoofing the user agent header.
That is where the 31-second moment becomes important. Sysdig said the agent first tried to create a Nacos administrator account with a generated bcrypt hash, checked the login, saw that it failed, and then issued a corrected payload 31 seconds later.
The fix deleted the bad account, generated the hash differently, recreated the administrator, and verified the login. For investigators, the speed and specificity of that correction are a major reason Sysdig assessed the operation as autonomous.
By the time the agent began encrypting data, the incident had become a data loss event. JADEPUFFER encrypted 1,342 Nacos configuration items using MySQL’s AES_ENCRYPT function, dropped the original configuration and history tables, and created a README_RANSOM table containing a Bitcoin address and Proton Mail contact.

In its blog post, Sysdig noted that the key appeared to be printed once and not saved or sent, meaning payment would not have restored the encrypted configurations.
Researchers also found a comment inside JADEPUFFER’s destructive payload stating that the data had been backed up to 64.20.53.230. Sysdig said it found no evidence that any data was actually backed up to that IP, which appeared only during the mass-destruction stage.
Shane Barney, chief information security officer at Keeper Security, said the case should be read less as science fiction and more as a credential failure at machine speed. In his view, the exposed secrets, unchanged defaults, open privileged access, and lack of real-time session visibility mattered more than any novel exploit chain.
Barney also pointed to Keeper research finding that 72 percent of organizations cannot detect credential misuse in real time, with many finding unauthorized privileged access hours after it starts. That gap matters when an agent can move from a failed login to a working administrative path inside a minute.
He said privileged access should be time-limited and task-limited, secrets should live in vaults with rotation, and session monitoring should happen while the session is active, not after the damage is done.
Ben Ronallo, principal cybersecurity engineer at Black Duck, said the Langflow flaw was public long before this campaign, making patch visibility and execution the first order of business. He compared JADEPUFFER with the recent Exploitarium disclosures, where exploit code and vulnerability write-ups were posted in a GitHub repository, but said this case shows a different problem: an agent working through older public vulnerabilities that many organizations have left exposed.
Ronallo said companies with exposed Langflow systems should activate incident response, patch immediately, and review logs for Sysdig’s indicators of compromise. He also warned against stopping the review at the first host. In this case, Langflow was the doorway, while the production database server was the target, so investigators need to map what the compromised host could reach.
