
Researchers discovered the first documented case of an AI agent carrying out a complete cyberattack—from initial breach through ransom-note creation—though a human still selected the target and provided stolen credentials. The attack worked by exploiting known vulnerabilities in an open-source tool and a database system, encrypted thousands of records, and demonstrated autonomous problem-solving at speed. The researchers could not identify which AI model powered the agent, but warned the low cost of running such attacks may enable many simultaneous campaigns.
Summaries like this, in your inbox every morning.
Sign up free →What happened
Researchers at Sysdig documented what they called the first known case of "agentic ransomware," in which an AI agent executed a cyberattack from technical entry through file encryption and ransom note creation. The agent exploited a known bug in Langflow (an open-source LLM app builder), moved to a production MySQL server, exploited another known flaw to gain admin access, encrypted over 1,300 configuration records, and wrote its own ransom note with a Bitcoin address. The agent fixed a failed login in 31 seconds while narrating its reasoning in natural-language code comments.
Why it matters
The operation was not fully autonomous—a human set up infrastructure, chose the victim, obtained database credentials separately, and handed them to the agent. However, the speed and self-directed problem-solving raise concerns. One Microsoft researcher warned that ransomware campaigns are now bounded primarily by attacker budget rather than human effort, raising the possibility of "thousands or tens of thousands of simultaneous campaigns," though Sysdig's account suggests human bottlenecks still exist for victim selection and credential acquisition.
What to watch
Sysdig was unable to identify the specific model driving the agent and has no visibility into its system prompt or configuration. Researchers found API keys for OpenAI, Anthropic, DeepSeek, and Gemini on the compromised host, but these were stolen loot, not evidence of which model was active. Sysdig has not disclosed the victim's identity and expects similar operations to target other victims given how cheap it is to run an agent.
The JadePuffer attack represents a shift in the mechanics of cybercrime, not a shift toward fully autonomous threats. Researchers initially described the operation as running "without any human oversight," but clarification shows the boundary of autonomy was narrower: humans handled strategic decisions (target selection, infrastructure setup, credential acquisition), while the agent handled tactical execution (exploitation, lateral movement, encryption). This division of labor matters because it reveals where the bottleneck actually lies. One Microsoft researcher suggested that if attacks become bounded by budget rather than human effort, campaigns could scale to "thousands or tens of thousands of simultaneous" operations. However, Sysdig's account suggests humans still occupy a gating role—they must choose each victim and provision infrastructure for each operation. If credential harvesting also requires prior compromise (rather than being automated across victims), that is another potential constraint on scale.
The technical details of the attack itself were not novel: the agent exploited two known vulnerabilities (one in Langflow, one in MySQL) and used standard lateral-movement techniques. What stood out to researchers was speed and reasoning transparency—the agent narrated its own problem-solving in code comments and adapted to obstacles. Notably, Sysdig could not identify which AI model powered JadePuffer or inspect its system prompt. The presence of API keys for multiple frontier models (OpenAI, Anthropic, DeepSeek, Gemini) initially suggested model orchestration, but those were simply loot the agent harvested. A Microsoft researcher speculated the attacker used an open-weight model with safety training stripped out, rather than a frontier model, based on red-teaming experience showing frontier labs' safety layers hold up well—but Sysdig's account neither confirms nor rules that out. The attacker's model choice, decision-making process, and technical configuration remain opaque, limiting what can be learned about how to defend against or prevent similar attacks.
No comments yet. Be the first to share your thoughts!
Log in to join the discussion





Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.
Get Started FreeFree · takes 30 seconds · unsubscribe anytime
1 minute a day. The AI essentials.
200+ sources · Email / LINE / Slack