Artificial Intelligence as a Solo Attacker: An AI Agent Took Control of and Destroyed a Company's Database

7.7.2026 | Autor: Top privacy
5

Sysdig has documented JADEPUFFER—the first ransomware attack carried out by a fully autonomous AI agent that infiltrated the system on its own, stole data, and destroyed the database.

Artificial Intelligence as a Solo Attacker: An AI Agent Took Control of and Destroyed a Company's Database

Researchers from the Sysdig Threat Research Team (TRT) have documented an operation called JADEPUFFER — which, according to their assessment, is the first recorded instance of a complete ransomware campaign managed from start to finish by an autonomous AI agent (LLM) without human intervention at any stage of the attack.

The attacker is classified as a so-called agentic threat actor (ATA)—an entity whose attack capabilities are not provided by a human operator using tools, but by the AI agent itself. The operation unfolded in two phases across two distinct targets: a compromised AI server, which served as the entry point, and a separate production database server, which was the actual target of the attack.

How the Attack Worked

  • Phase 1 — Gaining Access: The attacker gained access through vulnerability CVE-2025-3248 in Langflow—a popular open-source framework for building LLM applications and agent workflows. This vulnerability involves a lack of authentication at the endpoint for code validation, which allows an unauthenticated attacker to execute arbitrary Python code on the host server.

  • Phase 2 — Reconnaissance and Credential Harvesting: Immediately after gaining access, the AI agent mapped the host system and simultaneously scanned the environment for sensitive data — API keys to LLM providers, cloud credentials (including an explicit focus on Chinese providers such as Alibaba, Tencent, and Huawei, in addition to AWS, GCP, and Azure), cryptocurrency wallets, and database credentials. It then exfiltrated its own Langflow database.

  • Phase 3 — Lateral Movement and Persistence: The agent scanned the internal network and found a MinIO object storage instance with default credentials (minioadmin:minioadmin). It systematically went through all buckets, including the one containing the infrastructure state (Terraform state), and downloaded files containing login credentials. It then established persistent access on the compromised server via a scheduled task (crontab) that reported to the attacker’s server every 30 minutes.

  • Phase 4 — Penetration of the Actual Target: From the captured data, the agent identified a standalone, internet-facing server running a MySQL database and the Nacos configuration service. At the same time, the agent launched a multi-pronged attack—exploiting an older authentication vulnerability (CVE-2021-29441) and forging an access token using a publicly known default Nacos signing key. With the newly gained access to the database, the agent added a backup administrator account to the system. When the first login attempt failed, the agent independently diagnosed the cause within 31 seconds, corrected the error in password generation, and successfully logged in. It then tested options for escaping the container, such as accessing docker.sock.

  • Phase 5 — Ransomware and Data Destruction: The agent encrypted 1,342 configuration entries using the built-in database function AES_ENCRYPT(), deleted the original tables, and created a ransom note demanding payment in Bitcoin. It then proceeded to carry out widespread destruction—gradually deleting several entire database schemas, while noting in the code itself which databases offered the highest “return on investment” for deletion.

Key finding: The encryption key was generated as essentially a random value, displayed only on the screen, and neither stored nor sent anywhere. The victim would therefore not have recovered the data even after paying the ransom.

Who Is Affected

This incident directly affects organizations that operate:

  • Langflow or similar AI orchestration servers exposed to the internet—especially if they contain API keys or cloud login credentials directly within their environment
  • Nacos or other configuration/service-discovery platforms with unmodified default settings
  • MinIO or other object storage systems with default login credentials
  • database servers with administrator access exposed to the internet

Sysdig emphasizes that none of the individual techniques was new or sophisticated on its own—these are vulnerabilities that are years old and result from neglected security. This is precisely why it is critical that the AI agent was able to independently piece these steps together into a complete operation without human oversight of the individual steps, thereby significantly reducing the expertise required to carry out a full-scale ransomware attack.

What to Do

If your organization operates a similar infrastructure, we recommend taking the following actions immediately:

  • Update Langflow to a version that patches CVE-2025-3248 and never expose endpoints capable of executing code to the internet
  • Do not run AI-orchestrated servers with API keys or cloud credentials directly within their environment—sensitive data belongs in a dedicated secrets manager Change the default credentials in all components, including MinIO and Nacos (default signing key: token.secret.key)
  • Never connect configuration services to the database under the root account, and do not grant them access with administrative privileges
  • Do not expose administrative access to the database server to the internet — enforce strong, unique passwords and restrict access to trusted IP addresses
  • Implement egress controls to prevent a compromised server from freely communicating with external targets
  • Monitor the environment using runtime detection focused on unusual database processes and scheduled tasks with outbound network communication

OUR SERVICES
Source: Sysdig Threat Research Team | Gamesite.sk


Top privacy

Top privacy

"Kvalitný obsah netvoria copywriteri, ale odborníci."