JADEPUFFER AI Ransomware: Patch Exposed Langflow Servers

Sysdig documented JADEPUFFER, an AI-agent ransomware operation that used exposed Langflow CVE-2025-3248 access to steal secrets, pivot to Nacos, and destroy database configurations.

Sysdig Threat Research has documented what it assesses as a complete ransomware operation driven by an AI agent, using an exposed Langflow server as the first step into a production environment.[1] The campaign, tracked as JADEPUFFER, matters because it turns an old, already-patched web-facing bug into a fast, adaptive extortion chain: reconnaissance, secret theft, lateral discovery, persistence, database access, and destructive encryption.

The entry point was CVE-2025-3248, a Langflow missing-authentication/code-injection flaw in versions before 1.3.0. NVD describes it as a remote unauthenticated issue that can execute arbitrary code and lists a CVSS 3.1 score of 9.8 Critical; the same record notes that CISA added the vulnerability to its Known Exploited Vulnerabilities catalog in May 2025.[3] In other words, this was not a mystery zero-day. It was a neglected AI-workflow server still reachable from the internet.

Sysdig says the agent used the compromised Langflow host to hunt for valuable secrets, including LLM provider keys, cloud credentials, cryptocurrency material, database credentials, and local application data.[1] The case is especially relevant for teams running self-hosted AI tooling because Langflow-style systems often sit close to provider API keys and automation credentials. That is the same class of risk we covered in the earlier Langflow CVE-2026-5027 exploitation story: an AI workflow server is not harmless just because it looks like an internal builder.

After the initial host was compromised, JADEPUFFER pivoted toward a separate production server running MySQL and Alibaba Nacos. The observed payloads showed attempts to take over Nacos, create administrator access, probe container escape paths, and then encrypt 1,342 Nacos configuration items before dropping original tables and writing a ransom note.[1] Sysdig also noted a harsh operational detail: the encryption key appeared to be generated and printed once, but not saved or sent back, meaning the victim would not be able to recover the configurations even by paying.

The evidence for AI-driven operation is not just that the attack involved AI infrastructure. Sysdig pointed to more than 600 purposeful payloads, self-narrating code comments, and rapid correction of failed steps. In one Nacos sequence, the operator went from a failed login to a corrected multi-step fix in 31 seconds, diagnosing the failure and changing the approach rather than simply retrying.[1] The Hacker News coverage framed the same point clearly: agents reduce the skill needed to stitch old bugs, exposed databases, default credentials, and stolen secrets into one attack path.[2]

For defenders, the practical lesson is narrow and urgent. Any internet-exposed Langflow deployment should be treated as a code-execution surface, not a dashboard. Patch Langflow to a version that fixes CVE-2025-3248, remove direct internet exposure, place the service behind authentication and network allow lists, and assume any exposed instance may have leaked environment variables, API keys, cloud tokens, and database credentials.

What defenders should check now

Start with asset discovery: find Langflow, Nacos, MinIO, MySQL, and other AI-adjacent services that are reachable from the internet or from broad internal networks. If a Langflow server was exposed while vulnerable, rotate provider keys for OpenAI, Anthropic, Gemini, DeepSeek, cloud accounts, Git credentials, database users, and any secrets stored in environment variables or Langflow backing stores.

Review logs for suspicious Langflow code-validation requests, unexpected Python execution, new scheduled tasks or cron entries, outbound beacons to unfamiliar IP addresses, and database activity that touches Nacos configuration tables. Sysdig published indicators including C2 infrastructure at 45.131.66[.]106, a claimed staging server at 64.20.53[.]230, and a ransom table named README_RANSOM.[1] Treat these as starting points, not a complete detection list.

For Nacos and database systems, remove public exposure, change default signing keys, disable default credentials, prevent app services from using root database accounts, and restrict outbound traffic so a compromised AI tool cannot freely call back to attacker infrastructure. The same principle applies to newer AI development surfaces: the LangGraph RCE chain and Amazon Q Developer MCP RCE both show how quickly agent and automation tooling can become part of an attack path when execution features are exposed too broadly.

JADEPUFFER is not a reason to panic about every AI tool. It is a reason to stop treating self-hosted AI builders as temporary experiments. If they can run code, reach secrets, and talk to production systems, they need the same patching, segmentation, logging, and credential hygiene as any other high-risk application server.

References

  1. Michael Clark, Sysdig Threat Research, “JADEPUFFER: Agentic ransomware for automated database extortion,” July 1, 2026. https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion
  2. Swati Khandelwal, The Hacker News, “AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack,” July 2, 2026. https://thehackernews.com/2026/07/ai-agent-exploits-langflow-rce-to.html
  3. National Vulnerability Database, “CVE-2025-3248 Detail,” accessed July 3, 2026. https://nvd.nist.gov/vuln/detail/CVE-2025-3248

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment