[ECHO]4 min read

Thirty-One Seconds

JADEPUFFER is the first ransomware run end-to-end by an LLM, and it broke in through Langflow, the same agentic framework class operators deploy.

Thirty-One Seconds

In one recorded sequence, an attacker on the target host hit a failed login, read the bcrypt error message that came back, imported the missing library, and pushed a working payload in thirty-one seconds. Every step of that attack was driven by a large language model, running a ransomware operation with no human operator in the loop.

Sysdig's Threat Research Team published the case on July 1 and named it JADEPUFFER, with security-press coverage cascading through the July 4-7 window. Sysdig assesses it as the first documented ransomware operation run end-to-end by an LLM. Every phase ran on the model, from reconnaissance and credential harvest through lateral movement, privilege escalation, encryption, and ransom-note staging.

CVE-2025-3248 is what let JADEPUFFER in. It's a missing-authentication flaw in Langflow's code-execution endpoint, patched by the vendor in April 2025 and tagged by CISA as actively exploited the same month. Langflow is what thousands of teams reach for when they build LLM apps, so JADEPUFFER rode in on the same class of infrastructure operators use to build their own agentic tools.

The stranger detail is what the payloads say to themselves. Every command JADEPUFFER pushed carries an English rationale explaining why. Sysdig's analysts read one payload that reasoned about which database to attack first based on estimated size and value, an ROI calculation baked into the middle of a python3 one-liner. Human attackers don't annotate their throwaway commands with strategic reasoning, but LLMs do it by reflex. The malware kept a running commentary of its own attack, in prose, as it ran.

The JADEPUFFER kill chain, from Langflow RCE onto the host, through harvested credentials into the target database, to adaptive encryption of 1,342 records before the ephemeral key is thrown away.

Once inside the target, the agent encrypted 1,342 Nacos configuration items using MySQL's AES_ENCRYPT function and prepared a Bitcoin ransom demand. Then the attack broke on its own encryption. The AES key was ephemeral, written to stdout at execution and never captured or sent back. Encrypted data is unrecoverable even if the ransom is paid. JADEPUFFER's first outing was catastrophic for the target and useless to whoever wrote it, and every step now lives in Sysdig's write-up for the next operator to reproduce.

AI as a tool in attacks isn't news. Attackers have used it for years for phishing text, reconnaissance summaries, and the occasional payload polish. JADEPUFFER changes the frame because the AI ran the whole operation. That breaks three defensive assumptions at once. Detection rules built around scripted patterns can't see behavior that improvises. Signatures that fingerprint specific attack tools miss LLM-generated variants that were never in the training set. And response playbooks written around a human adversary lose to a machine that revises its approach faster than a person can update a Slack thread.

The Langflow entry point is the story, not the Nacos encryption. Langflow is what your team downloads this quarter to build agent tools. LangChain, Flowise, N8N, and a dozen other low-code frameworks sit next to it on the same shelf. If Langflow is a way into your production, so are they. The tools you installed to make your engineers faster are now a documented way in for a machine that outpaces them.

What to Do With This

If you run Langflow or any LLM-app framework in production, patch to the CVE-2025-3248 fix now. Audit dev-facing AI tools for exposed surfaces on public IPs. Rotate any credentials that touched those systems, including provider API keys and cloud credentials.

If you lead a team that uses AI across several workflows, add agentic frameworks (Langflow, LangChain deployments, Flowise, N8N with AI nodes) to your threat model as a first-class attack surface. If you can't answer "what's the blast radius if this framework is compromised" for each one, that's the audit for next week.

If you decide what AI tools the whole company runs, update incident response for the agentic threat class. Scripted-behavior detection fails against adaptive behavior, and tool-specific signatures don't hold when the LLM writes variants. Ask your security team what they'd have detected differently against JADEPUFFER, and use the answer to revise playbooks.

Want More Than This Newsletter?

Alcreon publishes a daily AI briefing, long-form dossiers, and an analysis feed for the teams actually shipping AI in production. This newsletter is one read out of the full library.

Read the daily feed or browse the editorials.

Also on the Radar

Anthropic Signs $19 Billion, 20-Year Lease With TeraWulf for 401 MW in Kentucky

TeraWulf, a Bitcoin miner, signed a 20-year lease with Anthropic on July 6 for up to 401 MW of AI compute at its Hawesville, Kentucky data campus, with total contracted revenue of about $19 billion. Initial operations start late 2027, full capacity early 2028. The $19 billion figure exceeds TeraWulf's roughly $12 billion market value. Compute-lease deals now stretch two decades, and the landlords are as often Bitcoin miners as hyperscalers.

Fable 5 Leaves Pro, Max, and Team Plan Limits at Midnight

Starting July 8, Claude Fable 5 no longer draws against Pro, Max, or Team subscription limits. It bills through pay-as-you-go usage credits at the standard API rates, $10 input and $50 output per million tokens. Opus 4.8, Sonnet, and Haiku stay covered under normal plan limits. Without credits enabled in Settings, Fable 5 access simply stops. Enable credits and set a spending cap before you hit the wall today.

Share