devdot
← All postsSecurity ·

An AI Agent Ran a Full Ransomware Attack Solo. It Still Got In Through a Known CVE and a Leaked Key.

An AI agent drove nearly an entire ransomware attack by itself, even self-correcting a failed login in 31 seconds. But it got in through a known CVE and a leaked credential, and that is the real lesson for anyone who builds.

Sysdig caught something last week that changes the shape of the threat, though maybe not the way the headlines suggest. A ransomware campaign they are calling JADEPUFFER ran almost entirely on an AI agent. A human picked the target, stood up the infrastructure, and handed over some credentials. After that, the agent drove the whole thing. Roughly 600 payloads. It found its way in, moved laterally, encrypted 1,342 config items, and wrote its own ransom note.

The detail everyone is fixated on is the autonomy. And it is unsettling.

The part that should actually worry you

At one point the agent tried to log in with an account it had just created. The login failed. Instead of stalling, it diagnosed the problem itself, a subprocess PATH issue, switched to importing the bcrypt library directly to regenerate the password hash, and got in. That whole loop took 31 seconds. No human touched it.

That is not a script running down a checklist. That is an attacker that debugs.

The payloads even carried plain-language comments where the agent explained its reasoning at each step. Chain-of-thought output, shipped straight into production malware because nobody scrubbed it first.

But look at how it got in

Here is the part that matters for anyone building software. The agent did not invent a novel exploit. It walked in through CVE-2025-3248, a known remote-code-execution flaw in Langflow, and harvested credentials. Then it used a 2021 authentication bypass to reach a production MySQL server.

A patched Langflow. Rotated credentials. A MySQL box not running a four-year-old auth bypass. Any one of those would have stopped it, or at least slowed it enough to matter.

AI did not create a new class of vulnerability here. It industrialized the old ones. The things your security review flagged and your team quietly deprioritized because "nobody is going to bother chaining all that together" — an agent will bother. It will bother 600 times, at 3am, for free.

What this changes for teams that build

The economics of exploitation just shifted. The manual effort that used to make a mid-value target not worth an attacker''s time is close to zero now. If a person had to sit at a keyboard for every step, they would go after bigger fish. An agent has no such constraint.

So the calculus for defenders changes too. A few things worth doing this quarter:

  • Automate the boring hygiene. Patch cadence, credential rotation, secret scanning in CI. If a human has to remember to do it, it will not happen consistently. Make it a pipeline step.
  • Treat known CVEs as live, not theoretical. The gap between "disclosed" and "exploited at scale" is collapsing. Dependency scanning that just files a ticket is not enough anymore.
  • Assume the attacker self-corrects. Detection that relies on a predictable, linear attack pattern will miss an agent that adapts on the fly. Behavioral monitoring beats signature matching here.
  • Scope your privileges down for real. That harvested credential got the agent through the door. If one leaked key can reach your whole network, that is the actual bug.

One more thing worth sitting with. The ransom note''s decryption key was never saved. Paying would not have recovered anything. The agent extorted a target it had already made unrecoverable, either by design or by mistake. When the attacker is a machine optimizing for a goal, rational negotiation is not a given.

The quieter lesson

None of this is a reason to panic about superintelligent hackers. A person still set it up, chose the target, and provisioned the credentials that got the agent through the door. The lesson is smaller and more useful. The fundamentals you already know matter more now, because the cost of exploiting your gaps just dropped to nothing. Fix the boring stuff before it is cheap for someone''s agent to find it.

We are here to help founders and teams design and build digital products that are built to scale with you, not slow you down. If you are looking to build something, get in contact with us today!

NEXT POST →Cloudflare Now Sorts AI Crawlers Into Three Buckets. You Have to Pick a Policy for Each.