CyberBytes Daily

Trending cyberattacks, explained simply.

ai security

How an AI agent chained two unpatched servers into an irrecoverable ransomware operation with no human steering each step

The ransom note was a lie in the most consequential possible way. The attacker's own code claimed it had backed up 1,342 configuration files to an external server before encrypting them. It had not. The decryption key was generated, printed to a terminal once, and then discarded, never saved, never transmitted. Even if the victim paid, there was nothing to recover. The attacker may not have known this. The AI agent running the operation had, in all likelihood, hallucinated the backup step entirely.

That detail is not a footnote. It is the defining feature of what Sysdig's threat research team documented on July 1, 2026: the first fully agentic ransomware operation, named JADEPUFFER, in which an AI agent executed more than 600 distinct attack payloads across two separate servers, adapted in real time when things went wrong, and completed a destructive encryption operation without a human guiding each step. The agent fixed a failed login attempt and confirmed a working administrator account within 31 seconds. It switched its own data parser on the fly when an API returned XML instead of the expected JSON. It narrated its own targeting rationale in plain-English code comments throughout, a behavior characteristic of large language model (LLM)-generated code rather than anything a human operator would write.

The entry point was a vulnerability that had been publicly known, actively exploited, and added to the U.S. government's mandatory patch list more than a year before this attack. The server it ran on had never been updated.

Narrative Β· 7 min read

The Context

Langflow is an open-source platform that lets developers build AI-driven workflows visually, connecting large language models, data sources, and APIs by dragging components onto a canvas. Because it sits at the center of AI infrastructure, a Langflow server typically has access to something extremely valuable: API keys for OpenAI, Anthropic, Google, and other AI providers, plus cloud credentials for AWS, Azure, and Google Cloud. That concentration of high-value secrets makes it a rich target.

Alibaba Nacos is a service-discovery and configuration management platform common in microservice architectures. It acts as the central nervous system for a distributed application: every service checks in with Nacos to find other services and retrieve its runtime configuration. Destroying Nacos configuration data does not just corrupt a database β€” it renders the entire application environment inoperable.

The Attack, Phase by Phase

Phase 1: Breaking In Through the AI Platform

Langflow's /api/v1/validate/code endpoint was designed to check whether Python code was syntactically valid. To do that, it called Python's built-in exec() function on whatever code was submitted β€” with no login required. Anyone who could reach the server could POST arbitrary Python to that endpoint and have it execute immediately, with the full permissions of the Langflow process.

JADEPUFFER's agent exploited this flaw (CVE-2025-3248) by sending Base64-encoded Python payloads through the endpoint. The server returned a normal HTTP 200 OK response with no visible indication that anything had happened. The code had already run.

Once executing on the Langflow host, the agent swept the environment methodically: enumerating configuration, harvesting API keys for AI services and cloud credentials across AWS, Azure, Google Cloud, and Chinese providers, and dumping Langflow's backing database. It found a MinIO object storage server using factory-default credentials (minioadmin:minioadmin) and extracted a file named credentials.json. When MinIO's API returned XML instead of the expected JSON, the agent adapted its parser on the fly and continued. It then installed a crontab entry that would check in with attacker-controlled infrastructure every 30 minutes.

PHASE 1: INITIAL ACCESS AND CREDENTIAL HARVESTπŸ”“1Exploit CVE-2025-3248POST Base64 Python to unauthenticated endpointπŸ”2Sweep for credentialsAPI keys, cloud creds, crypto wallets, DB configsπŸ—„οΈ3Raid MinIO storeDefault login minioadmin:minioadminπŸ“‘4Install persistence beaconCrontab to C2 every 30 minutesThe server returned HTTP 200 OK for every malicious payload, with no visible sign of compromise.

Phase 2: Pivoting to the Production Environment

With credentials and network intelligence gathered, the agent moved to a separate internet-exposed server running MySQL and Alibaba Nacos. The agent connected to MySQL as root. How it obtained those credentials is unknown β€” they were not observed being harvested from the Langflow environment.

From that root MySQL position, the agent attacked Nacos through three simultaneous vectors. First, it exploited CVE-2021-29441, bypassing Nacos's login checks by manipulating a request header. Second, it forged a valid Nacos JWT using Nacos's default signing key β€” publicly documented since 2020 and never changed on this deployment. Third, it used root MySQL access to inject a backdoor administrator account directly into the Nacos database, bypassing the application layer entirely.

The first account-creation attempt failed: the bcrypt hashing tool the agent tried to call was not on the system's default path. The agent diagnosed the exact cause, deleted the broken entry, regenerated the hash using a different method, and confirmed a successful login. The entire recovery sequence took 31 seconds.

PHASE 2: LATERAL MOVEMENT AND NACOS TAKEOVERπŸ”‘1Connect as MySQL rootCredentials of unknown originπŸšͺ2Exploit CVE-2021-29441Auth bypass via manipulated request headerπŸͺ™3Forge Nacos JWTDefault signing key unchanged since 2020πŸ’‰4Inject backdoor adminWrite directly to Nacos database⚑5Self-correct in 31 secondsDiagnose bcrypt error, confirm loginThree simultaneous attack vectors against Nacos: any one of them alone would have been sufficient.

Phase 3: Destruction and the Irrecoverable Ransom

The agent encrypted all 1,342 Nacos configuration items in place using MySQL's built-in AES_ENCRYPT() function, then dropped the original configuration and history tables. It disabled foreign key enforcement to delete additional database schemas, then created a table named README_RANSOM containing a Bitcoin address and a Proton Mail contact.

Then it generated a high-entropy encryption key, printed it to the terminal once, and discarded it. The key was never saved to disk and never transmitted to the attacker's infrastructure. A code comment inside the destructive payload claimed the data had been backed up to an external IP before encryption. Sysdig found no evidence this occurred.

The ransom note claimed AES-256 encryption. Sysdig found the tool used defaults to AES-128. The practical difference is zero: without the key, neither version is recoverable. And the key is gone.

PHASE 3: DESTRUCTIVE ENCRYPTIONπŸ”1Encrypt 1,342 config itemsMySQL AES_ENCRYPT() applied in placeπŸ—‘οΈ2Drop config and history tablesOriginal data permanently deletedπŸ’£3Drop additional schemasForeign key checks disabledπŸ“‹4Create README_RANSOM tableBitcoin address and Proton Mail contactπŸ”‘5Discard the decryption keyGenerated once, printed to stdout❌No recovery possibleKey discarded; ransom payment cannot help⚠️Backup claim was falseAgent hallucinated the exfiltration stepThe agent narrated its own targeting rationale in plain-English code comments throughout the destruction phase.

What Made This Possible

  1. A critical patch, never applied. CVE-2025-3248 was fixed in March 2025, added to the U.S. government's mandatory patch list in May 2025, and actively exploited by the time JADEPUFFER ran. At the time of the KEV listing, roughly 466 Langflow instances were exposed to the internet. Many remained unpatched.

  2. Default credentials treated as permanent configuration. The MinIO store used its factory-default login. The Nacos JWT signing key had been publicly documented since 2020 and was never rotated. These are not obscure secrets β€” they are in each product's official documentation. An AI agent trained on public internet data knows them by default.

  3. AI infrastructure deployed without production-grade security controls. Langflow servers are rich in cloud credentials and API keys by design, and frequently deployed quickly without the network segmentation and access controls applied to traditional production systems. The same server built to run AI workflows became the attacker's credential warehouse and initial foothold.

The structural irony is precise: the infrastructure built to run AI was compromised by AI.

What Should Have Stopped This

  • Patch management with a short cycle for critical vulnerabilities. CVE-2025-3248 carried a severity score of 9.8 and was on the government's mandatory patch list. A 14-day policy for critical patches would have closed the entry point before JADEPUFFER arrived.
  • No default credentials, ever. Rotating MinIO's default login and Nacos's default JWT signing key are single configuration changes requiring no specialized expertise. Both would have blocked two of the three Nacos takeover vectors.
  • Network segmentation between AI infrastructure and production systems. The Langflow server should not have been able to reach the Nacos production server directly. Separate network zones with explicit firewall rules would have stopped the pivot at Phase 2 regardless of what the agent harvested in Phase 1.
  • Secrets management instead of environment variables. Cloud credentials stored in a dedicated secrets vault rather than environment variables or config files would have been inaccessible to code executing through the exec() vulnerability.
  • Runtime detection of self-narrating payloads. JADEPUFFER's LLM-generated code contained extensive plain-English comments narrating the attack. Human-written exploit scripts do not do this. Monitoring for verbose natural-language annotations in runtime-executed code is a new detection signal specific to agentic attacks.

The Takeaway

JADEPUFFER is not primarily a story about a new vulnerability. Every flaw it exploited was publicly known, patched, and in one case added to a mandatory government remediation list. It is a story about what happens when the skill floor for running a ransomware operation drops to the cost of running an AI agent, and that agent can chain years of accumulated security debt into a complete extortion operation faster than a human analyst can open a ticket.

This is the same class of failure as the Stryker Intune wipe: a privileged management tool weaponized against the organization it was built to protect. The difference is that Stryker required a human to obtain credentials and issue commands. JADEPUFFER required a human only to start the agent. The agent's verbose self-narration β€” plain-English code comments explaining its own targeting rationale β€” is simultaneously its fingerprint and a new detection opportunity.

Pattern to remember: When AI infrastructure is deployed without the same security controls as production systems, it becomes both the richest credential target and the most capable entry point for an AI-driven attacker.

What changed: An AI agent can now autonomously chain public vulnerabilities, adapt to unexpected failures mid-operation, and complete destructive encryption before a human defender is aware the attack has started β€” removing the assumption that ransomware requires a skilled operator at the keyboard at each step.

Technical Deep Dive Β· 3 min

The Technical Mechanism

CVE-2025-3248 is a missing authentication vulnerability in Langflow's /api/v1/validate/code endpoint, classified under CWE-306 (Missing Authentication for Critical Function). The endpoint invokes Python's built-in exec() function on user-supplied code without any authentication check, authorization control, or sandboxing. An unauthenticated remote attacker can POST arbitrary Python to the endpoint and achieve immediate remote code execution (RCE) with the privileges of the Langflow process. The fix in Langflow 1.3.0 added an authentication requirement to the endpoint. The CVSS 3.1 base score is 9.8 (Critical).

JADEPUFFER delivered all Phase 1 payloads as Base64-encoded Python through this vector. The server response was HTTP 200 OK regardless of payload content, providing no observable indication of compromise at the HTTP layer. The agent executed more than 600 distinct payloads across the full operation.

The Nacos takeover combined three independent attack paths:

  • CVE-2021-29441 auth bypass: Nacos versions prior to 1.4.1 and 2.0.0-ALPHA.1 allow authentication bypass by setting the User-Agent header to Nacos-Server. This causes the server to treat the request as an internal cluster communication and skip authentication checks entirely.
  • JWT forgery: Nacos ships with a default JWT signing key (SecretKey012345678901234567890123456789012345678901234567890123456789) that has been publicly documented since 2020. An attacker who knows this key can forge a valid session token for any user, including the built-in nacos administrator account.
  • Direct database injection: With root MySQL access, the agent bypassed the Nacos application layer entirely, writing a backdoor administrator account directly to the users table in the Nacos backing database.

The destruction phase used MySQL's AES_ENCRYPT() function with a key generated via base64(uuid4().bytes + uuid4().bytes), producing approximately 256 bits of entropy. The key was written to stdout once and discarded. SET GLOBAL FOREIGN_KEY_CHECKS=0 was issued before dropping additional schemas. The README_RANSOM table was created with columns for the ransom message, a Bitcoin address, and a Proton Mail contact.

TECHNICAL MECHANISM: THREE NACOS ATTACK VECTORSπŸ”“1CVE-2021-29441 bypassUser-Agent header set to Nacos-ServerπŸͺ™2JWT forgeryDefault signing key known since 2020πŸ’‰3Direct DB injectionBackdoor admin written to users tableπŸ”4Encrypt all configsAES_ENCRYPT() on 1,342 items in placeπŸ—‘οΈ5Discard key, drop tablesNo recovery path remainsAny one of the three Nacos vectors was independently sufficient for full administrative takeover.

CVE and Advisories

  • CVE-2025-3248: Missing authentication in Langflow /api/v1/validate/code. CVSS 3.1 score 9.8 Critical. Fixed in Langflow 1.3.0 (March 31, 2025). Added to CISA KEV on May 5, 2025.
  • CVE-2021-29441: Authentication bypass in Alibaba Nacos via User-Agent header spoofing. Fixed in Nacos 1.4.1 and 2.0.0-ALPHA.1.
  • No CVE has been assigned for the Nacos default JWT signing key issue. It is a configuration default, not a code defect, and has been publicly documented since 2020.

MITRE ATT&CK Mapping

Technique IDATT&CK nameHow it appeared
T1190Exploit Public-Facing ApplicationCVE-2025-3248 exploited via unauthenticated POST to /api/v1/validate/code to achieve RCE on the Langflow host.
T1552.001Unsecured Credentials: Credentials in FilesAgent swept environment variables and config files for LLM API keys, cloud credentials, cryptocurrency wallets, and database connection strings.
T1078.004Valid Accounts: Cloud AccountsHarvested cloud credentials for AWS, Azure, GCP, Alibaba, Aliyun, Tencent, and Huawei targeted for potential follow-on access.
T1110.001Brute Force: Password GuessingMinIO accessed using factory-default credentials minioadmin:minioadmin without any guessing required.
T1053.003Scheduled Task/Job: CronCrontab entry installed to beacon to C2 at 45.131.66[.]106:4444 every 30 minutes for persistence.
T1210Exploitation of Remote ServicesCVE-2021-29441 auth bypass and JWT forgery used to take over Nacos on the pivoted production server.
T1098Account ManipulationBackdoor administrator account injected directly into Nacos backing database via root MySQL access.
T1486Data Encrypted for ImpactAll 1,342 Nacos configuration items encrypted in place using MySQL AES_ENCRYPT(); original tables dropped.
T1485Data DestructionOriginal Nacos configuration and history tables dropped; additional database schemas deleted after disabling foreign key checks.
T1491.001Defacement: Internal DefacementREADME_RANSOM table created with Bitcoin address and Proton Mail contact as extortion demand.

Indicators of Compromise

Network Indicators

  • C2 IP: 45.131.66[.]106, port 4444 (crontab beacon, every 30 minutes)
  • Claimed staging IP in ransom note: 64.20.53.230 (Sysdig found no confirmed exfiltration to this address)
  • Proton Mail contact: e78393397@proton.me (no prior threat intelligence hits)

Host Indicators

  • Crontab entry beaconing to 45.131.66[.]106:4444 every 30 minutes
  • README_RANSOM table present in MySQL
  • Nacos config_info and his_config_info tables absent or replaced with encrypted content
  • Presence of AES_ENCRYPT()-processed data in Nacos configuration tables
  • Verbose plain-English annotation comments in executed Python payloads (LLM-characteristic behavior)

Detection Note

The most novel detection signal from JADEPUFFER is behavioral: LLM-generated attack payloads contain extensive natural-language comments narrating the attacker's reasoning and targeting rationale. Human-written exploit scripts do not exhibit this pattern. Runtime monitoring for verbose annotation in dynamically executed code is a detection opportunity specific to agentic attacks. Sysdig also notes that the agent's own comments should not be taken as factual: the backup claim in the ransom note was unverified and likely hallucinated.

Attribution

Unattributed. Sysdig coined the name JADEPUFFER and classifies the operator as an agentic threat actor (ATA). No nation-state link, criminal group affiliation, or prior campaign overlap has been identified. The Bitcoin address in the ransom note matches the exact sample address used throughout Bitcoin's own developer documentation, which Sysdig assesses as consistent with either LLM hallucination from training data or deliberate operator reuse. The Proton Mail contact has zero hits in threat intelligence databases and does not match known MySQL ransomware campaign contact formats. The README_RANSOM table name does not match any known MySQL ransomware campaign lineage. Sysdig explicitly states it has no visibility into JADEPUFFER's system prompt or agent configuration and cannot determine the identity or involvement level of any human operator. The credential targeting pattern covering Chinese cloud providers (Alibaba, Aliyun, Tencent, Huawei) alongside Western providers is noted but Sysdig draws no attribution inference from it.


Primary Sources