Close Menu
    What's Hot

    Yet another ‘quant tremor’ strikes systematic investors

    Why the Jobs Market Has Wall Street and Washington on Edge

    Can Formula 1 embrace AI without losing its soul?

    Facebook X (Twitter) Instagram
    Trending
    • Yet another ‘quant tremor’ strikes systematic investors
    • Why the Jobs Market Has Wall Street and Washington on Edge
    • Can Formula 1 embrace AI without losing its soul?
    • Turkey’s Erdogan Gets a Pass When It Comes to Human Rights
    • Troop Casualties in Ukraine War Top 2 Million, Study Finds
    • Ocasio-Cortez Endorses Abdul El-Sayed in Crucial Michigan Senate Race
    • China Releases Details About Pilot Who Crashed Plane Into Beijing Skyscraper
    • Vatican expels members of rebel Catholic group over unapproved ordination | Religion News
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

    adminBy adminJuly 2, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
    Share
    Facebook Twitter LinkedIn Pinterest Email

    AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

    Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent.

    Its Threat Research Team calls the operator JADEPUFFER and says a large language model handled the whole job: breaking in, stealing credentials, moving deeper into the network, then encrypting and wiping a company’s production database.

    Ransomware has always needed a skilled person somewhere in the loop, either at the keyboard or writing the script the malware follows. If a model can chain those steps on its own, the skill needed to run an attack drops to whatever it costs to rent an AI agent.

    The way in was an old, already-patched bug. JADEPUFFER exploited CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source tool for building AI apps and agent workflows. The flaw lets anyone who can reach the server run their own Python code on it, no login needed.

    Langflow boxes are a tempting target because they often sit exposed on the internet and hold API keys and cloud credentials for the services they connect to.

    The flaw was fixed in Langflow 1.3.0 and added to CISA’s Known Exploited Vulnerabilities list in May 2025, but plenty of servers were never updated. It is not even the only Langflow bug being hit this way.

    Cybersecurity

    Once inside, the agent worked fast and cleaned up after itself. It mapped the machine, then swept it for secrets: API keys for AI services (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials (Chinese providers like Alibaba and Tencent alongside AWS, Google, and Azure), crypto wallet keys, and database logins.

    It raided a MinIO storage server using its factory-default login (minioadmin:minioadmin), which had never been changed. It also set up a way back in, adding a scheduled task that pinged the attacker’s server every 30 minutes.

    Then it pivoted to its real target: a separate, internet-facing server running a MySQL database and Alibaba’s Nacos, a settings and service directory common in microservice setups. The agent logged into the database as root.

    Sysdig says it never saw where those root credentials came from, so their origin is unknown. From there, it took over Nacos using a 2021 authentication bypass (CVE-2021-29441) and a default signing key that Nacos has shipped unchanged since 2020, then planted its own admin account.

    The Ransom Note With No Key

    The agent encrypted all 1,342 Nacos settings, dropped the original tables, and left a ransom note demanding Bitcoin with a Proton Mail contact. It generated a random encryption key, printed it to the screen once, and never saved or sent it anywhere.

    There is no key to hand over. The victim cannot get the data back even if they pay. (The note claims AES-256; Sysdig notes the tool it used defaults to weaker AES-128, though the result is the same.)

    It then went further, deleting whole databases and leaving a comment in its own code claiming it had already copied the data somewhere else.

    Sysdig says that is the agent talking, not something the team could confirm, and found no evidence that any data was actually left.

    How Experts Know an AI Was Driving

    The clearest sign was the code itself. The attack payloads were full of plain-English notes explaining why each step was being taken, the running commentary a human hacker never bothers to write, but a model produces by default. The agent also fixed its own mistakes at machine speed.

    In one case, it went from a failed login to a correct, multi-step fix in 31 seconds, diagnosing the exact cause instead of blindly retrying. Sysdig counted more than 600 separate, purposeful payloads across the operation.

    One detail is still a puzzle. The Bitcoin address in the ransom note is the exact sample address that appears throughout Bitcoin’s own developer documentation, which means it shows up all over the text these models are trained on. It is also a real, active wallet with a long history of payments.

    Sysdig cannot tell whether the model simply pasted a familiar-looking address from memory, or whether the operator deliberately used a real wallet that happens to match the famous example.

    Part of a Bigger Shift

    JADEPUFFER is the latest step in a fast-moving year for AI-driven attacks. In August 2025, researchers at ESET flagged PromptLock, billed as the first AI-powered ransomware; it later turned out to be a lab prototype from NYU called Ransomware 3.0, not a real attack.

    Around the same time, Anthropic reported a real extortion campaign that used its Claude Code tool to hit at least 17 organizations, with demands topping $500,000, though a human still steered that one.

    In November 2025, Anthropic disclosed what it called the first largely autonomous cyberattack, a Chinese state-linked spying effort that had Claude write exploits and steal data with little human help. That operation also had the AI inventing credentials that did not exist, possibly the same kind of hallucination behind JADEPUFFER’s odd Bitcoin address.

    The pieces of a serious attack are getting automated, and old, unpatched software is the easy first target. Agents make spraying the entire back catalogue of known bugs nearly free, so neglected servers get more exposed, not less.

    What Defenders Should Do

    The fixes are familiar. Patch Langflow and never expose its code-running endpoints to the internet. Do not run AI tools with cloud keys and provider credentials sitting in their environment; keep secrets in a proper manager, away from anything the web can reach.

    Cybersecurity

    Harden Nacos: change the default signing key, keep it off the public internet, and never let it connect to its database as root. Never expose a database’s admin account to the internet, and lock down outbound traffic so a hacked server cannot phone home.

    Because attackers can now weaponize a fresh advisory in hours, Sysdig argues that watching for bad behavior at runtime matters more than racing to patch.

    Sysdig’s published indicators for this operation include:

    • Entry point: CVE-2025-3248 (Langflow unauthenticated remote code execution)
    • Command-and-control: 45.131.66[.]106, with a beacon to hxxp://45.131.66[.]106:4444/beacon every 30 minutes
    • Claimed staging server: 64.20.53[.]230
    • Ransom Bitcoin address: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy; contact e78393397[@]proton[.]me; ransom table named README_RANSOM

    Sysdig calls JADEPUFFER a warning sign rather than a crisis. None of the individual moves was clever or new. What is new is that a model stitched them into a complete attack against a neglected server, on its own.

    Expect more of the same as agent tools mature, and treat any exposed server, config store, or database admin login as something a machine will probe, not just a person.

    agent attack automate database Exploits Langflow Ransomware RCE
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleBlack Soldiers In the Revolutionary War: A New England Journey
    Next Article Meta Is Charging a Subscription for Smart Glasses Features. Welcome to the New Era of Consumer Tech
    admin
    • Website

    Related Posts

    New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

    July 2, 2026

    SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

    July 2, 2026

    Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands

    July 2, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Yet another ‘quant tremor’ strikes systematic investors

    Why the Jobs Market Has Wall Street and Washington on Edge

    Can Formula 1 embrace AI without losing its soul?

    Turkey’s Erdogan Gets a Pass When It Comes to Human Rights

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by