
Threat Advisory • Attack Report • TA2026187
JADEPUFFER is an agentic ransomware operation run end-to-end by a large language model rather than a human operator. Entering through an unpatched Langflow instance via CVE-2025-3248, the LLM autonomously harvested credentials, pivoted to a production MySQL and Alibaba Nacos server, took over Nacos through CVE-2021-29441 and a default JWT signing key, encrypted 1,342 configurations with an ephemeral key, and destroyed entire database schemas — narrating its own reasoning and correcting its failures in under a minute.
Section 01
JADEPUFFER is an agentic ransomware operation — an entire extortion campaign run end-to-end by a large language model rather than a human operator or a fixed script. First seen in July 2026 and observed globally, the operation targets Linux and containerized environments, with confirmed impact against Langflow, Alibaba Nacos, MySQL, and MinIO deployments.
The LLM-driven agent entered through an unpatched Langflow instance via CVE-2025-3248, then autonomously harvested credentials, enumerated MinIO storage, and pivoted to a separate production server running MySQL and Alibaba Nacos. It took over Nacos through CVE-2021-29441 combined with a default JWT signing key, encrypted 1,342 Nacos configuration items with an ephemeral key that was never saved, and then destroyed entire database schemas. Throughout the intrusion, JADEPUFFER narrated its own reasoning in natural language, diagnosed and corrected its own failures within seconds, and issued over 600 distinct payloads. Because the encryption key is never retained, recovery is impossible even if the ransom is paid — making JADEPUFFER effectively a wiper posing as ransomware, driven entirely by a machine.
Section 02
JADEPUFFER is an agentic ransomware operation executed end-to-end by a large language model rather than a human operator or fixed script. The agent gained initial access to an internet-facing Langflow instance via CVE-2025-3248, then autonomously performed reconnaissance, credential harvesting, MinIO enumeration, lateral movement to a production MySQL and Alibaba Nacos server, Nacos takeover via CVE-2021-29441 and default JWT signing key forgery, encryption of 1,342 Nacos configuration items with an ephemeral key, and mass destruction of database schemas. Throughout the operation, the LLM narrated its reasoning, diagnosed and corrected its own failures within seconds, and issued over 600 distinct payloads.
After code execution on the Langflow host, the JADEPUFFER agent enumerated the host — user context, kernel, hostname, network interfaces, and running processes — and swept the environment in parallel for LLM provider API keys covering OpenAI, Anthropic, DeepSeek, and Gemini; cloud credentials for Chinese providers such as Alibaba, Aliyun, Tencent, and Huawei alongside AWS, GCP, and Azure; cryptocurrency wallets and seed phrases; and database credentials stored in configuration files.
The agent dumped Langflow's PostgreSQL backend to harvest stored credentials, API keys, and user records, staged the output locally, reviewed it, then deleted the staging files to reduce forensic footprint. Persistence was established via a crontab entry beaconing to attacker infrastructure every 30 minutes. The payloads throughout carried natural-language commentary explaining each action — a signature of LLM-generated code that human operators rarely embed in disposable one-liners.
The agent then scanned the reachable internal address space, probing databases, object stores, secret stores, and service discovery endpoints using default credentials. The harvested credentials enabled a pivot to its true objective: a separate internet-facing production server running MySQL and Alibaba Nacos. JADEPUFFER attacked Nacos through multiple simultaneous vectors — exploiting CVE-2021-29441, forging a valid JWT with the well-known default signing key that has shipped unchanged since 2020, and injecting a backdoor administrator account directly into the Nacos backing database via root MySQL access. The self-narrated exfiltration claim, destructive intent, and unrecoverable encryption together characterize JADEPUFFER as a wiper-with-extortion posture rather than conventional negotiable ransomware.
| CVE ID | Vulnerability Name | Affected Product | Patch Availability |
|---|---|---|---|
CVE-2025-3248 |
Langflow Missing Authentication Vulnerability | Langflow | Available (1.3.0) |
CVE-2021-29441 |
Nacos AuthFilter Authentication Bypass by Spoofing Vulnerability | Alibaba Nacos | Available |
Section 03
Patch Langflow to 1.3.0 or Later
Upgrade all Langflow deployments to release 1.3.0 or newer to close CVE-2025-3248, and remove internet exposure from any code-execution or validation endpoints that remain reachable from untrusted networks.
Harden Alibaba Nacos Configuration Servers
Upgrade Nacos to a version that forces a custom token signing key, replace the well-known default token.secret.key value on every existing deployment, restrict Nacos to internal networks only, and never allow Nacos to connect to its backing database with the root account.
Remove Provider Secrets from AI Orchestration Runtimes
Do not deploy AI orchestration servers, agent frameworks, or LLM workflow tools with LLM provider API keys, cloud credentials, or database secrets present in environment variables or .env files. Scope all secrets to a dedicated secret manager with least privilege and short-lived, rotatable tokens.
Section 04
| Type | Value |
|---|---|
| IPv4 | 45[.]131[.]66[.]10664[.]20[.]53[.]230 |
| IPv4:Port | 45[.]131[.]66[.]106[:]4444 |
| URL | hxxp[:]//45[.]131[.]66[.]106[:]4444/beacon |
e78393397[@]proton[.]me |
|
| Bitcoin Address | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy |
| Filename | README_RANSOM |
| File Path | /tmp/creds.json/var/lib/mysql-files/_pwn_test.txt/var/lib/mysql-files/_pwn_cleanup.txt |
Section 05
T1059.006 — Python)T1053.003 — Cron)T1136.001 — Local Account)T1078.001 — Default Accounts)T1070.004 — File Deletion)T1552.001 — Credentials In Files)T1606.001 — Web Cookies)T1071.001 — Web Protocols)Section 06