According to new research published by Sysdig’s Threat Research Team, AI has officially completed what researchers believe is the first documented ransomware attack run – from beginning to end – by an AI agent.
The operation, named JADEPUFFER, did not use brand new hacking methods. It searched for known security weaknesses, collected credentials, accessed other systems, encrypted data and left behind a ransom note. Sysdig says the difference was that an AI agent completed the entire operation on its own, correcting mistakes without waiting for instructions from a human operator.
For many years, ransomware attacks involved people making decisions throughout an intrusion. Sysdig says this case shows an AI model making those decisions during the attack, which could make this type of crime easier to carry out.
How Exactly Did The AI Complete The Attack?
The operation began through a known security flaw in Langflow, an open source platform used to build AI applications. Sysdig says the AI agent entered an internet exposed Langflow server through CVE 2025 3248 before searching the system for passwords, cloud credentials, API keys and database information.
After gaining access, the AI searched internal systems, collected more credentials and worked towards its intended target, which was a production server running a MySQL database and a Nacos configuration service. Sysdig says the AI encrypted production configuration, deleted database tables and created a ransom demand.
Sysdig also documented something unusual during the attack… The AI added comments to its own code explaining what it was doing and why. Researchers also recorded the agent correcting mistakes almost immediately. After one failed login, it diagnosed the problem, rewrote its code and successfully logged in 31 seconds later.
Hard2bit says this changes who can carry out these attacks, writing, “The lesson is more uncomfortable: the skill threshold for running a complete attack falls when an agent can test, fail, correct and chain steps on its own.”
More from Artificial Intelligence
- Beyond Automation: Building Accountability For AI Agents
- Are Global Regulators About To Follow China’s Ban On Humanlike AI?
- These Companies Decided To Rehire Human Workers After Replacing Them With AI
- AI Is Making It Cheaper To Sue Your Boss – Are UK Businesses Ready?
- How Are Music Streaming Platforms’ AI Policies Impacting Artists?
- Is Your Team’s Everyday AI Use Secretly Training Your Competitors?
- AI Is Quietly Influencing What Care Gets Approved – Should Patients Be Told?
- Are Heatwaves The Next Big Threat To AI And Europe’s Digital Infrastructure?
Should Organisations Be Concerned?
Of course, organisations should stay alert, but not because hackers have discovered entirely new ways to break into systems. Sysdig and Hard2bit say JADEPUFFER succeeded because it used security weaknesses that were already well known, including unpatched software, default credentials and internet exposed services.
Hard2bit writes, “The message for companies is simple: agents do not need zero-days to cause serious damage. They only need to find what was already exposed, unpatched or full of secrets.”
Sysdig says none of the individual techniques used by JADEPUFFER were especially advanced. The AI connected those techniques into one continuous attack without waiting for a person to decide what happened next.
According to Hard2bit, automation no longer stops after launching a known exploit because it “can decide what to try next, correct errors and move towards the real target.”
What Should Companies Do Now?
Sysdig says paying the ransom would probably not have recovered the encrypted information. During the attack, the AI generated an encryption key, displayed it once and never saved or transmitted it. Without that key, the encrypted data could not realistically be recovered.
The research also shows that older security weaknesses can continue to be valuable for attackers. JADEPUFFER used known vulnerabilities, default credentials and internet exposed systems instead of inventing new techniques.
Hard2bit writes, “JADEPUFFER does not prove that classic defences no longer work. It proves they have become more urgent.”
Both security organisations recommend patching internet exposed software, removing default passwords, storing credentials outside application environments, restricting database access, controlling outbound network connections and keeping backups that have been properly tested.
Sysdig believes the most important development is not the hacking methods themselves. The researchers write, “An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence and destroyed a database, narrating its own intent the entire way.”
To make a long story short: this case is only different because an AI agent carried out each stage of the operation without waiting for a person to guide every action – not because the types of attacks have advanced. But, that means organisations may need to expect automated attacks to complete tasks that previously required an experienced hacker – and that is where the concern is.
