LIVE NEWS
  • Of Course Meta Platforms Is Going To Be A Cloud
  • Climate scientist who “proved” humanity is warming Earth says government report got it wrong
  • Brooks and Capehart on whether the Supreme Court has stood up to Trump
  • Old muscle stem cells can act young again but there’s a catch
  • Palantir’s CEO spent $200M on properties nobody can find
  • Egypt say Dallas police officer pushed player, team director at World Cup | World Cup 2026
  • Someone infected a spyware probe overseer with spyware
  • The Museum of American Finance opens its doors in Boston
Prime Reports
  • Home
  • Popular Now
  • Crypto
  • Cybersecurity
  • Economy
  • Geopolitics
  • Global Markets
  • Politics
  • See More
    • Artificial Intelligence
    • Climate Risks
    • Defense
    • Healthcare Innovation
    • Science
    • Technology
    • World
Prime Reports
  • Home
  • Popular Now
  • Crypto
  • Cybersecurity
  • Economy
  • Geopolitics
  • Global Markets
  • Politics
  • Artificial Intelligence
  • Climate Risks
  • Defense
  • Healthcare Innovation
  • Science
  • Technology
  • World
Home»Cybersecurity»AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
Cybersecurity

AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

primereportsBy primereportsJuly 2, 2026No Comments6 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
Share
Facebook Twitter LinkedIn Pinterest Email


AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent.

Its Threat Research Team calls the operator JADEPUFFER and says a large language model handled the whole job: breaking in, stealing credentials, moving deeper into the network, then encrypting and wiping a company’s production database.

Ransomware has always needed a skilled person somewhere in the loop, either at the keyboard or writing the script the malware follows. If a model can chain those steps on its own, the skill needed to run an attack drops to whatever it costs to rent an AI agent.

The way in was an old, already-patched bug. JADEPUFFER exploited CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source tool for building AI apps and agent workflows. The flaw lets anyone who can reach the server run their own Python code on it, no login needed.

Langflow boxes are a tempting target because they often sit exposed on the internet and hold API keys and cloud credentials for the services they connect to.

The flaw was fixed in Langflow 1.3.0 and added to CISA’s Known Exploited Vulnerabilities list in May 2025, but plenty of servers were never updated. It is not even the only Langflow bug being hit this way.

Cybersecurity

Once inside, the agent worked fast and cleaned up after itself. It mapped the machine, then swept it for secrets: API keys for AI services (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials (Chinese providers like Alibaba and Tencent alongside AWS, Google, and Azure), crypto wallet keys, and database logins.

It raided a MinIO storage server using its factory-default login (minioadmin:minioadmin), which had never been changed. It also set up a way back in, adding a scheduled task that pinged the attacker’s server every 30 minutes.

Then it pivoted to its real target: a separate, internet-facing server running a MySQL database and Alibaba’s Nacos, a settings and service directory common in microservice setups. The agent logged into the database as root.

Sysdig says it never saw where those root credentials came from, so their origin is unknown. From there, it took over Nacos using a 2021 authentication bypass (CVE-2021-29441) and a default signing key that Nacos has shipped unchanged since 2020, then planted its own admin account.

The Ransom Note With No Key

The agent encrypted all 1,342 Nacos settings, dropped the original tables, and left a ransom note demanding Bitcoin with a Proton Mail contact. It generated a random encryption key, printed it to the screen once, and never saved or sent it anywhere.

There is no key to hand over. The victim cannot get the data back even if they pay. (The note claims AES-256; Sysdig notes the tool it used defaults to weaker AES-128, though the result is the same.)

It then went further, deleting whole databases and leaving a comment in its own code claiming it had already copied the data somewhere else.

Sysdig says that is the agent talking, not something the team could confirm, and found no evidence that any data was actually left.

How Experts Know an AI Was Driving

The clearest sign was the code itself. The attack payloads were full of plain-English notes explaining why each step was being taken, the running commentary a human hacker never bothers to write, but a model produces by default. The agent also fixed its own mistakes at machine speed.

In one case, it went from a failed login to a correct, multi-step fix in 31 seconds, diagnosing the exact cause instead of blindly retrying. Sysdig counted more than 600 separate, purposeful payloads across the operation.

One detail is still a puzzle. The Bitcoin address in the ransom note is the exact sample address that appears throughout Bitcoin’s own developer documentation, which means it shows up all over the text these models are trained on. It is also a real, active wallet with a long history of payments.

Sysdig cannot tell whether the model simply pasted a familiar-looking address from memory, or whether the operator deliberately used a real wallet that happens to match the famous example.

Part of a Bigger Shift

JADEPUFFER is the latest step in a fast-moving year for AI-driven attacks. In August 2025, researchers at ESET flagged PromptLock, billed as the first AI-powered ransomware; it later turned out to be a lab prototype from NYU called Ransomware 3.0, not a real attack.

Around the same time, Anthropic reported a real extortion campaign that used its Claude Code tool to hit at least 17 organizations, with demands topping $500,000, though a human still steered that one.

In November 2025, Anthropic disclosed what it called the first largely autonomous cyberattack, a Chinese state-linked spying effort that had Claude write exploits and steal data with little human help. That operation also had the AI inventing credentials that did not exist, possibly the same kind of hallucination behind JADEPUFFER’s odd Bitcoin address.

The pieces of a serious attack are getting automated, and old, unpatched software is the easy first target. Agents make spraying the entire back catalogue of known bugs nearly free, so neglected servers get more exposed, not less.

What Defenders Should Do

The fixes are familiar. Patch Langflow and never expose its code-running endpoints to the internet. Do not run AI tools with cloud keys and provider credentials sitting in their environment; keep secrets in a proper manager, away from anything the web can reach.

Cybersecurity

Harden Nacos: change the default signing key, keep it off the public internet, and never let it connect to its database as root. Never expose a database’s admin account to the internet, and lock down outbound traffic so a hacked server cannot phone home.

Because attackers can now weaponize a fresh advisory in hours, Sysdig argues that watching for bad behavior at runtime matters more than racing to patch.

Sysdig’s published indicators for this operation include:

  • Entry point: CVE-2025-3248 (Langflow unauthenticated remote code execution)
  • Command-and-control: 45.131.66[.]106, with a beacon to hxxp://45.131.66[.]106:4444/beacon every 30 minutes
  • Claimed staging server: 64.20.53[.]230
  • Ransom Bitcoin address: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy; contact e78393397[@]proton[.]me; ransom table named README_RANSOM

Sysdig calls JADEPUFFER a warning sign rather than a crisis. None of the individual moves was clever or new. What is new is that a model stitched them into a complete attack against a neglected server, on its own.

Expect more of the same as agent tools mature, and treat any exposed server, config store, or database admin login as something a machine will probe, not just a person.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleBitcoin gains some steam, tops $60k a day after logging a 14% quarterly loss By Investing.com
Next Article Standard Chartered, Circle Bring USDC Into Banking System
primereports
  • Website

Related Posts

Cybersecurity

Someone infected a spyware probe overseer with spyware

July 3, 2026
Cybersecurity

Qilin Dominates Ransomware Market – Infosecurity Magazine

July 3, 2026
Cybersecurity

The best July 4th TV deals: Up to 50% off Samsung, Sony, and more

July 3, 2026
Add A Comment
Leave A Reply Cancel Reply

Top Posts

Paxton’s win over Cornyn sets up high-stakes Texas clash with Talarico

May 28, 202616 Views

Global Resources Outlook 2024 | UNEP

December 6, 202510 Views

Texas Democrat Talarico claims voting laws are rigged ahead of Paxton race

May 28, 20269 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Latest Reviews

Subscribe to Updates

Get the latest tech news from FooBar about tech, design and biz.

PrimeReports.org
Independent global news, analysis & insights.

PrimeReports.org brings you in-depth coverage of geopolitics, markets, technology and risk – with context that helps you understand what really matters.

Editorially independent · Opinions are those of the authors and not investment advice.
Facebook X (Twitter) LinkedIn YouTube
Key Sections
  • World
  • Geopolitics
  • Popular Now
  • Artificial Intelligence
  • Cybersecurity
  • Crypto
All Categories
  • Artificial Intelligence
  • Climate Risks
  • Crypto
  • Cybersecurity
  • Defense
  • Economy
  • Geopolitics
  • Global Markets
  • Healthcare Innovation
  • Politics
  • Popular Now
  • Science
  • Technology
  • World
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms & Conditions
  • Disclaimer
  • Cookie Policy
  • DMCA / Copyright Notice
  • Editorial Policy

Sign up for Prime Reports Briefing – essential stories and analysis in your inbox.

By subscribing you agree to our Privacy Policy. You can opt out anytime.
Latest Stories
  • Of Course Meta Platforms Is Going To Be A Cloud
  • Climate scientist who “proved” humanity is warming Earth says government report got it wrong
  • Brooks and Capehart on whether the Supreme Court has stood up to Trump
© 2026 PrimeReports.org. All rights reserved.
Privacy Terms Contact

Type above and press Enter to search. Press Esc to cancel.