On July 1, Sysdig published a case report that closes a debate the security community has been having for two years. The firm documented JADEPUFFER, the first confirmed end-to-end ransomware operation executed by an autonomous AI agent without human direction. Entry came through CVE-2025-3248, an unauthenticated Python code execution flaw in the Langflow AI workflow platform with an EPSS score of 0.918. That CVE was patched in April 2025. It appeared on CISA’s Known Exploited Vulnerabilities list in May 2025. JADEPUFFER exploited it in July 2026, fifteen months later.
That timeline is the story. Not the autonomous AI. Not the kill chain. The fifteen months.
What JADEPUFFER Did
From the Langflow entry point, an autonomous LLM agent performed the complete ransomware sequence without a human operator making a single real-time decision: PostgreSQL database dump, credential harvest, MinIO object store enumeration, lateral pivot to a production MySQL server, encryption of 1,342 Nacos configuration items, deletion of originals, and a Bitcoin extortion demand. The operation ran from initial exploitation to extortion demand in under 20 hours.
Sysdig identified a forensic marker that distinguishes JADEPUFFER from human-operated tooling: the payloads are self-narrating. Natural-language reasoning annotations and target prioritization logic are embedded directly in the attack code, characteristic of LLM output rather than human tradecraft. Human attackers do not write self-explanatory malware. LLM agents produce artifacts where the decision-making process is legible in the payload itself. That creates a new forensic artifact class, one where analysts can potentially reconstruct the AI agent’s reasoning from captured samples rather than inferring it from behavioral patterns alone. That is both a detection opportunity and something the industry has no existing playbook for.
But the self-narrating payload is a secondary finding. The primary finding is that the attack worked at all.
The Wrong Security Posture for the Wrong Category of Software
Langflow is a web application that executes code on behalf of its users. It has an HTTP API, it accepts requests from the network, and it runs whatever those requests instruct it to run. When an organization deploys Langflow with an internet-accessible endpoint, they have deployed a production web application server. The security posture that applies is the same one that applies to Apache, NGINX, or any other internet-facing application: rapid patch application, network segmentation, authentication on every endpoint, monitoring for anomalous process activity.
The posture most AI teams actually apply is something closer to “developer tooling”: patch when convenient, expose the management interface for accessibility, assume the users are internal researchers. This gap is not unique to Langflow. It is characteristic of the entire AI workflow ecosystem.
CVE-2025-3248 was not obscure. It had an EPSS score indicating exploitation probability in the top 10 percent of all known vulnerabilities. CISA put it on the KEV, which is the clearest possible signal that the flaw is being actively exploited in the wild. For a conventional web application, a KEV listing typically triggers emergency patching within 72 hours in any mature security program. For an AI workflow platform, apparently, it triggers a fifteen-month wait.
JADEPUFFER did not find a novel attack surface. It found an attack surface that the security industry had already labeled, cataloged, and flagged, sitting unpatched because the team running Langflow did not apply web application security standards to a web application.
The Same Week, Five More CVEs
While JADEPUFFER’s kill chain was being documented, five additional Langflow vulnerabilities were filed: a path traversal in the Knowledge Bases API, arbitrary file read via the BaseFileComponent, unauthenticated file upload, an insecure direct object reference in the responses endpoint, and a separate server-side request forgery. The attack surface that produced the first confirmed autonomous AI ransomware campaign added five new entries in the same week it was being reported on.
This is the platform context JADEPUFFER operates in. Organizations that patch CVE-2025-3248 today will have a queue of follow-on vulnerabilities to address next week. That cadence is not coincidental. The Langflow codebase reflects the same development culture that produced JADEPUFFER’s entry point: built for capability, not for adversarial environments.
The same pattern is documented across the broader AI workflow ecosystem. PraisonAI accumulated four simultaneous CVEs across W25 to W28, all sharing a single root cause: security features that disable silently when not configured rather than denying access by default. The Model Context Protocol ecosystem has produced two to four CVEs per week for ten consecutive weeks, all tracing to the same fail-open design decision. NVIDIA Triton Inference Server, Gradio, and Ray all added actively exploited or PoC-available CVEs in the same collection window as JADEPUFFER’s disclosure. The common thread is an ecosystem that moved fast on capability and deferred the question of what happens when attackers find these systems on the internet.
Where This Goes
JADEPUFFER’s kill chain documentation will circulate widely. The Sysdig report is detailed enough to function as a methodology reference. Other actors will replicate the approach against the same platform and against functionally similar ones: Open WebUI, vLLM management endpoints, n8n, and any AI orchestration layer that shares Langflow’s architectural pattern of internet-accessible workflow execution with insufficient authentication enforcement.
Sysdig identified JADEPUFFER as an “agentic threat actor,” a category the firm expects will expand. The economic logic is straightforward. A complete ransomware operation that previously required a human operator with operational security discipline and sustained attention across a multi-day campaign can now be delivered at the cost of running an LLM with internet access against a vulnerable endpoint. That cost asymmetry favors the attacker at scale.
For defenders, the immediate response is mechanical: patch Langflow against CVE-2025-3248 and the five CVEs filed this week, restrict internet access to AI workflow platforms, audit Nacos and connected configuration stores for unauthorized changes. The harder work is adjusting the classification. Every AI workflow platform with a network-accessible endpoint is a production web application. The security controls, patch cadence, and monitoring coverage should reflect that, starting now, not after the next JADEPUFFER variant is documented.
The self-narrating payload structure JADEPUFFER left behind is a forensic gift. Analysts examining future agentic attack artifacts should look for the same reasoning annotations: they are readable decision logs that reveal how the AI agent prioritized targets, selected techniques, and adapted to what it found. That readability is an unusual property in attack tooling. The industry should build the forensic capability to exploit it before the next generation of agentic campaigns learns to suppress it.
Security Unlocked publishes weekly threat intelligence and strategic analysis. This post is based on intelligence collected June 30 - July 6, 2026.
Security