Researchers at cybersecurity firm Sysdig say they have identified what they believe is the first documented case of an autonomous AI agent carrying out a ransomware attack.
The attack, dubbed “JadePuffer,” exploited a critical vulnerability in the open-source AI application framework Langflow to infiltrate an internet-exposed server, according to a report published by Sysdig’s Threat Research Team.
Langflow is an open-source, low-code platform for building AI applications and autonomous agent workflows. Sysdig said the attackers gained initial access by exploiting CVE-2025-3248, a critical authentication vulnerability disclosed in April.
Unlike traditional ransomware attacks that require hackers to carry out most of the operation, researchers said the AI model independently breached the system, gathered sensitive information and generated a ransom note that included the payment demand, a Bitcoin wallet address and a Proton Mail contact for communication.
“JadePuffer is a warning sign,” Michael Clark, Sysdig’s director of threat research, wrote in the report. “It’s a marker of where extortion tradecraft is heading.”
According to Sysdig, the attack shows that AI agents can make it much easier for cybercriminals to carry out ransomware attacks by reducing the need for advanced technical skills.
Sysdig said the AI combined existing hacking techniques to successfully target vulnerable infrastructure at little cost to the attacker.
“Defenders should expect the volume and breadth of such campaigns to rise as agentic tooling matures, and they should treat exposed application servers, unhardened configuration stores, and internet-facing database admin accounts as the first surfaces that will be attacked,” Sysdig notes.
Security researchers outside Sysdig said the incident demonstrates how AI could dramatically increase the scale and speed of ransomware campaigns.
“Ransomware (and destructive) attacks can now scale bounded primarily by attacker budget – instead of being bounded by their human ability to operate campaigns themselves,” Geoff McDonald, principal research manager on Microsoft’s Defender for Endpoint team, wrote on LinkedIn. “There is now little stopping threat actors from operating thousands or tens of thousands of simultaneous campaigns.”
The discovery comes as AI companies increasingly acknowledge the cybersecurity capabilities of their most advanced models. Anthropic and OpenAI have both restricted access to some newly released models because of their offensive cyber capabilities.
The U.S. government also previously imposed export controls on Anthropic’s powerful AI models, Claude Fable 5 and Mythos 5, over national security concerns but later lifted those restrictions.
McDonald warned that the cybersecurity industry may be unprepared for the rapid evolution of AI-assisted attacks.
“This is a transformative moment in cybersecurity that in my opinion the industry and world is not ready for, and I believe will have great negative outcomes as it accelerates over these next few months,” he wrote.







