We just witnessed the first agentic ransomware attack on record, and the details from Sysdig’s Threat Research team are stranger than (science) fiction.

An AI agent broke into a company, locked up its data, and demanded a ransom for the key. Then it realized it had thrown away the key.

Here is how the operation, which has been dubbed JADEPUFFER, went down, and why the story has been keeping me up at night.

The way in was a year-old bug

The robbers got into the house through the front door, which was not locked or even closed. There wasn’t a zero-day or brute force or even a mad genius sitting down to figure out how to break in. All it took was a Langflow instance running a remote code execution vulnerability, CVE-2025-3248, public and patchable since March 31, 2025, more than a year before JADEPUFFER showed up. Langflow shipped a validate endpoint that ran unauthenticated code straight through Python’s exec(), and Trend Micro had already caught the Flodrix botnet mass-exploiting it months earlier. The door was wide open. JADEPUFFER just pointed an agent at it.

It went hunting for credentials

Once inside, the agent swept the environment for anything and everything with value: API keys, cloud credentials, crypto wallets, and database logins. It dumped the entire Langflow database, found a storage bucket, and pulled more secrets out. None of this is novel; a competent human operator could do the same things. What is novel is that nobody was typing the commands. The agent chained reconnaissance, credential harvesting, and lateral movement into one continuous run and kept going on its own.

31 seconds is all you need

At one point, one of the agent’s login attempts failed. The malicious agent did not take that as a suggestion to give up. The agent deleted the broken account, created a new backdoor administrator account, and was back to hacking in 31 seconds flat.

Call it reasoning, adaptation, or a very effective workflow. The label matters less than the behavior. The software hit a failure, diagnosed it, rewrote its own approach, and was back in business half a minute later. This is the new normal.

Hold onto your keyboards because this is where the story goes from wild to wildest thing I’ve read about AI this year.

It lost its own encryption key

Then the agent reached production. It encrypted 1,342 critical configuration records, deleted the originals, and left a Bitcoin ransom note. A modern-day extortion operation straight out of a Nolan flick.

Here is where it got wacky. The agent generated the encryption key, printed it in the terminal and never saved or transmitted it. The victim cannot recover the encrypted data even if they pay, because no key exists to hand over.

That is not a typo.

The same system was capable enough to breach a company, harvest its secrets, and stand up an administrator backdoor, and careless enough to lose the one artifact that made the extortion work. It nailed the hard steps and fumbled a trivial one. That gap describes where agents are today. Their reasoning is good enough to tear through a production system with no hand on the wheel. Their execution of actions is loose enough to drop a step a first-week scammer would get right.

A human was still holding the leash

It is tempting to make this a story about an AI deciding on its own to become a criminal. Keep in mind a human ran this operation the entire time. A person chose the victim, set up the command-and-control infrastructure, provided the access to the final target, and pointed the agent at the job. JADEPUFFER did not wake up and choose violence. Someone aimed a capable tool and pulled the trigger. Keeping that straight matters, because the scary version of this story leads to the wrong conclusions.

Autonomous execution is the real story

What should change is how you think about the effect autonomous execution has on the speed and cost of an attack. JADEPUFFER had stolen credentials, access to real systems, and an execution loop that kept trying when something failed. That combination no longer demands deep expertise from the operator or a massive bot farm. The skill floor for chaining reconnaissance, credential theft, lateral movement, and destruction just collapsed to the cost of running an LLM. You do not need to know how to do any of it by hand. You just need to know how to point at an open door.

Once an agent can act inside real systems, three things decide what happens next: enforcement, execution, and governance. JADEPUFFER could execute. Nothing enforced limits on its actions or governed what it was allowed to touch, so the environment could not contain it.

What actually contains an agent

The models keep getting more capable and the tooling to aim them gets easier every month. Betting your security posture on agents staying too dumb to be dangerous is not a realistic plan.

A robust solution sits between an agent’s reasoning and the systems it can reach, in a runtime that every agent action passes through. Authorization runs at the intersection of user identity and agent scope, evaluated per action against the identity provider you already run, with credentials kept isolated from the model instead of sitting in a database waiting to be swept. The security policies your enterprise already enforces through its DLP, SIEM, and compliance tooling plug in through runtime hooks and apply to agent actions too. Every action is logged, so a credential sweep or a prompt injection like the ones JADEPUFFER relied on becomes a logging event instead of a breach.

This is what we build at Arcade.dev, the actions runtime for enterprise AI agents, and it is why we will tell anyone who listens that agentic security belongs at the architecture layer rather than in a prompt or a policy PDF. The model plans. The runtime decides whether each action is allowed and carries it out under your controls.

The first agentic ransomware attack was clumsy enough to lose its own ransom key. The next one will not be. Every team running agents on production systems should be asking one question: does anything stand between what their agents can reason and what they can actually do?

Source: Sysdig Threat Research, JADEPUFFER, 2026.