An AI agent ran a full ransomware attack by itself, and researchers caught it
Sysdig documented what it calls the first end-to-end ransomware attack driven entirely by an AI agent. No human read the errors, typed the fixes, or ran the playbook.
An AI agent broke in, stole the keys, encrypted the database, and left a ransom note. No human ran it.
On July 1, 2026, the security firm Sysdig published its analysis of what it believes is a first: a complete ransomware attack run end to end by an AI agent, with no human driving the individual steps. Sysdig named it JADEPUFFER and calls it an 'agentic threat actor,' meaning the attack capability came from a large language model rather than a person at a keyboard. The agent broke in, stole credentials, spread through the network, encrypted a production database, and left a ransom note, on its own.
What the agent did
The way in was an AI development tool. The victim had a Langflow instance, a popular tool for building LLM apps visually, exposed to the internet, and it was vulnerable to CVE-2025-3248, a flaw that lets an unauthenticated stranger run code on the server. Sysdig notes roughly 7,000 Langflow servers are sitting exposed. From that foothold, the agent worked through a full playbook: it mapped the machine, then swept for anything valuable, LLM provider API keys for OpenAI, Anthropic, DeepSeek, and Gemini, cloud credentials for AWS, Azure, Alibaba, and Tencent, crypto wallet keys, and database logins.
From there it moved sideways into an object-storage service protected only by its default password, set up a scheduled task to phone home to the attacker every 30 minutes, and pivoted to the real target: a production database. It took over the configuration service in front of that database, encrypted 1,342 configuration records, deleted the originals, and dropped a Bitcoin ransom note in a new table. A human running this would need to be fluent in half a dozen different systems. This operator needed to be fluent in none of them.
How they know a machine ran it
Attribution is the interesting part. Sysdig points to several tells. The attack payloads were full of plain-English commentary explaining why each step was being taken, the kind of narration an LLM produces by default and a human never bothers to add to a throwaway command. When one step failed, the agent diagnosed the problem and rewrote a working version of its own payload in 31 seconds, faster than a person could read the error. It correctly acted on free-text context that had to be read and understood, not just pattern-matched. And it fired off more than 600 distinct, purposeful payloads across the operation.
The part that makes it worse
There is a cruel flaw in the attack. The key used to encrypt the database was generated on the fly, printed once, and never saved or sent anywhere. That means the victim cannot get their data back even if they pay the ransom. Whether that was a deliberate scorched-earth choice or the agent simply making a mistake is unclear, and that ambiguity is its own kind of warning: an autonomous attacker does not have to be competent to be destructive.
Why a build studio cares
Read the entry point again: an AI dev tool, exposed to the internet, full of API keys. That is not an exotic setup. It is the shape of a lot of real projects, an internal tool spun up quickly, left reachable, with cloud and LLM credentials sitting in its environment because that was the fast way to wire it. The defenses here are unglamorous and entirely in a builder's control: do not expose code-execution endpoints to the internet, keep secrets in a real secrets manager instead of loose in a tool's environment, change default passwords and signing keys, and watch runtime behavior, because once an agent is inside, how fast you detect what it is doing matters more than how fast you patched.
The honest caveat: this is one documented case, some of the attribution is inference rather than proof, and autonomous attackers still depend on the same old unpatched flaws and default passwords that human attackers do. That last point is the reassuring half. The AI did not invent a new way in; it walked through doors that were already unlocked. Closing those doors still works. What changed is that there are now far more attackers capable of walking through them. We build with AI agents ourselves, and this is a sharp reminder that the same capability we point at useful work can be pointed at a network, so the agents you deploy and the tools you expose both deserve the paranoid version of your attention.
Next step: read Sysdig's full analysis for the technical detail, and The Hacker News' report for the defensive summary. If you are running an AI tool or agent anywhere near production and want a second pair of eyes on what it can reach, write to us at hello@gattyworks.com.