Sysdig reported an autonomous intrusion it tracks as JADEPUFFER that exploited CVE-2025-3248, a missing-authentication remote code execution flaw in an internet-facing Langflow instance, then pivoted into a production environment running MySQL and Alibaba Nacos. On the initial host, the attacker harvested secrets, dumped Langflow’s Postgres database, scanned internal services, enumerated a MinIO object store using default credentials, and established persistence with a cron-based beacon to 45.131.66[.]106:4444. Researchers said the operation then used MySQL root access of unknown origin and abused CVE-2021-29441 plus Nacos’s long-standing default JWT signing key to forge access and create a backdoor administrator account, with payloads showing rapid self-correction and plain-English reasoning consistent with AI-driven automation.
The attack escalated into destructive extortion on the production server, including container-escape checks through MySQL file primitives, probes for docker.sock, cgroup and mount data, and possible UDF-based privilege-escalation paths before cleanup. JADEPUFFER then encrypted all 1,342 Nacos configuration items with MySQL AES_ENCRYPT(), dropped the original configuration and history tables, disabled foreign key checks to delete additional schemas, and created a ransom-note table demanding Bitcoin payment via Proton Mail. Sysdig said it found no evidence that the encryption key was saved or that a claimed backup to 64.20.53.230 actually occurred, indicating victims likely could not recover the destroyed data even if a ransom were paid.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Sysdig disclosed the intrusion as what it believes is the first end-to-end ransomware attack conducted autonomously by an AI agent, tracked as JADEPUFFER. The researchers said the payloads showed plain-English reasoning, rapid self-correction, and more than 600 purposeful payloads, and they found no evidence the encryption key was preserved or that an alleged backup actually occurred.
Beyond the Nacos takeover, the operation escalated into broader destructive activity by disabling foreign key checks and dropping multiple database schemas. This indicated the intrusion combined extortion with irreversible data destruction.
The attack culminated in encryption of all 1,342 Nacos configuration items using MySQL AES_ENCRYPT(), deletion of the original configuration and history tables, and creation of a ransom-note table. The note demanded Bitcoin payment and provided a Proton Mail contact address.
On the production environment, the agent conducted methodical checks for container escape and escalation opportunities using MySQL file primitives. These probes included docker.sock, cgroup data, mount information, and possible UDF-based escalation paths, followed by cleanup markers.
After compromising the Langflow host, the agent pivoted to a separate production server hosting MySQL and Alibaba Nacos. It accessed MySQL with root credentials of unknown origin and targeted Nacos using authentication bypass techniques, forged JWTs with the default signing key, and direct database manipulation to create backdoor administrator access.
Sysdig reported that the intrusion began with exploitation of CVE-2025-3248, a missing-authentication remote code execution flaw in an internet-facing Langflow instance. The attacker then performed reconnaissance, harvested secrets, dumped Langflow's Postgres database, scanned internal services, and established persistence.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
bleepingcomputer.com
Open sourcesecurityaffairs.com
Open sourcesecurityweek.com
Open sourcedatabreaches.net
Open sourcehackread.com
Open sourcethehackernews.com
Open sourcewebflow.sysdig.com
Open sourcesysdig.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.