logo

Sysdig Details JADEPUFFER, the First Documented Agentic Ransomware Operation

ID: 9753dca5-910d-556e-88aa-3161dedb31d4

STIX ID: report--9753dca5-910d-556e-88aa-3161dedb31d4

Feed Name: HackRead

Threat Score
78/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: Waqas

...
...

Sysdig researchers documented an autonomous ransomware operation by an LLM agent named JADEPUFFER that exploited a critical Langflow RCE (CVE-2025-3248) to harvest credentials, access a production MySQL/Nacos server (leveraging known Nacos auth bypass behavior), encrypt and delete 1,342 Nacos configuration items using MySQL AES_ENCRYPT, and leave a ransom note; the incident demonstrates fast, automated credential misuse and destructive extortion resulting in data loss.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.