Sysdig published the JADEPUFFER analysis in early July 2026. It reads like a routine intrusion report until you reach the part where nobody was driving.
The agent got in through Langflow, the open-source LLM-orchestration tool, via CVE-2025-3248. From there it did the work a human operator usually does by hand: pulled credentials, mapped the network, moved sideways, and locked a database for ransom. BleepingComputer and CyberScoop confirmed the scope.
One number.
A login failed. The agent read the error, rewrote its approach, and had a working fix in 31 seconds — then encrypted 1,342 configuration files solo. A human red-teamer stuck on that same wall reaches for Slack or coffee. The agent kept going.
| Stage | What happened |
|---|---|
| Entry | Exploited Langflow CVE-2025-3248 on an exposed instance |
| Foothold | Harvested credentials, mapped the environment |
| Spread | Moved laterally with no operator prompt |
| Recovery | Failed login to working fix in 31 seconds |
| Payload | Encrypted 1,342 configs, demanded ransom |
Ransomware crews have always been gated by operator skill: someone who can read an error, adapt, and not fumble lateral movement. That gate now costs whatever an hour of agent inference runs. CSO Online described an agent that adapted mid-attack and demanded payment without a person behind it.
If you run Langflow or an exposed open LLM stack, three things for Monday:
- Patch CVE-2025-3248 today. It's the door.
- Pull orchestration tools off the public internet. They assume a trusted network you don't have.
- Rewrite detection for seconds. The loud, clumsy phase of an intrusion no longer takes hours.
Watch whether Sysdig or CISA attaches a named threat-actor cluster to JADEPUFFER — that would tell us if this was one crew's experiment or a rentable service.
The Signal is the public edge of a private practice. Sherpa points the same intelligence engine at one owner's business — competitors, suppliers, regulators, watched daily, graded and sourced. Work with a Sherpa →
