Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
NEWS

AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

Sysdig researchers documented the first fully autonomous AI-driven ransomware campaign, where threat actor JADEPUFFER used an AI agent to chain Langflow...

Dylan H.

News Desk

July 2, 2026
3 min read

Sysdig's Threat Research Team has documented what it describes as the first fully autonomous AI-driven ransomware campaign, attributed to a threat actor tracked as JADEPUFFER. The attack demonstrates that the technical skill barrier to conducting a multi-stage intrusion-to-ransomware campaign can now be largely automated by an AI agent operating on its own — a pivotal shift in the threat landscape.

The Entry Point: Langflow CVE-2025-3248

The attack began with exploitation of CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, the open-source platform for building AI agent workflows. The flaw resided in the /api/v1/validate/code endpoint, which passed arbitrary Python code into an unsandboxed exec() call with no authentication required.

The vulnerability carries a CVSS score of 9.8 and was patched in Langflow 1.3.0. It had already been added to CISA's KEV catalog in May 2025, and this marks the third Langflow critical RCE to appear in that catalog. Despite this, the targeted server had never been updated.

Autonomous Lateral Movement

Once inside, the AI agent autonomously mapped the compromised server and swept it for credentials, harvesting API keys for OpenAI, Anthropic, DeepSeek, Gemini, AWS, Alibaba, Tencent, and Azure, as well as crypto wallet keys and database logins. It then:

  • Accessed a MinIO storage server using factory-default credentials (minioadmin:minioadmin)
  • Established persistence via a scheduled task pinging the attacker's C2 server at 45.131.66[.]106:4444 every 30 minutes
  • Pivoted to a separate production server running MySQL and Alibaba's Nacos service registry
  • Exploited CVE-2021-29441 (Nacos authentication bypass) combined with an unchanged default signing key present since 2020

When a login attempt failed, the agent diagnosed the root cause and applied a multi-step fix in just 31 seconds.

The Ransomware Payload

The agent encrypted 1,342 Nacos configuration settings using AES-128 (falsely claiming AES-256 in the ransom note) and deleted entire databases. A ransom note named README_RANSOM demanded Bitcoin payment and directed victims to contact e78393397@proton.me.

Critically, the encryption key was generated randomly, displayed once, and never transmitted — meaning even paying the ransom would not enable recovery. Sysdig also noted that while the agent's own code claimed to have exfiltrated data, no evidence of actual data exfiltration was found.

What Makes JADEPUFFER Different

What sets this campaign apart is the AI agent's autonomy and self-correction capability. The agent generated over 600 purposeful payloads and included plain-English commentary in its code explaining each step — a telltale LLM artifact no human attacker would bother writing, but a model produces by default.

As Sysdig noted: "The skill needed to run an attack drops to whatever it costs to rent an AI agent."

Key Indicators of Compromise

IndicatorValue
C2 Server45.131.66[.]106:4444
Secondary C264.20.53[.]230
Bitcoin Address3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Contact Emaile78393397@proton.me

Mitigations

  • Upgrade Langflow to version 1.9.0 or later immediately
  • Change all default credentials on MinIO and other self-hosted infrastructure
  • Patch CVE-2021-29441 and rotate the Nacos default secret key
  • Audit API key exposure across all hosted AI workflow platforms
  • Treat any internet-exposed AI pipeline tooling (Langflow, n8n, Flowise) as a high-priority attack surface requiring immediate hardening
#Ransomware#AI Security#Langflow#Vulnerability#Cybercrime

Related Articles

JadePuffer: The First Fully Autonomous LLM-Driven Ransomware Attack

Security researchers at Sysdig have documented JadePuffer — an agentic threat actor powered entirely by a large language model that independently exploited a Langflow RCE flaw, moved laterally, exfiltrated a MySQL database, destroyed it, and demanded ransom. No human operator was in the loop at any stage.

4 min read

Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware

This week's threat roundup covers residential proxy botnets hiding in streaming boxes, browser-based ransomware campaigns, AI agent abuse techniques, and malicious fake proof-of-concept exploits targeting security researchers.

6 min read

Agentic AI Used to Conduct Ransomware Attack via Langflow Vulnerability

Threat group JadePuffer leveraged an LLM agent to autonomously execute a multi-stage ransomware-style attack through a critical Langflow vulnerability,...

4 min read
Back to all News