Agentic AI used in ransomware attack via Langflow

Sysdig reports JadePuffer exploited CVE-2025-3248 in Langflow to run Python, then used an agentic LLM to harvest credentials, pivot to a MySQL/Nacos server and deploy ransomware.

Cloud security firm Sysdig reports that a threat actor tracked as JadePuffer exploited a critical vulnerability in Langflow to run arbitrary Python on an internet-exposed instance, then used an agentic large language model to harvest secrets and deploy ransomware on a connected production server.

Langflow is an open-source, Python-based framework for building LLM-driven applications and agent workflows. The flaw, assigned CVE-2025-3248 with a CVSS score of 9.8, is a missing authentication issue disclosed in April. CISA flagged the vulnerability as being exploited in early May. Successful exploitation allows an attacker to execute arbitrary Python code on the host running Langflow.

After gaining code execution, the actor ran an LLM on the compromised instance and instructed it to search for API keys, cloud credentials, cryptocurrency wallets, configuration files and database credentials. The attacker dumped Langflow’s Postgres database to extract secrets, scanned reachable internal addresses and service names, probed MinIO endpoints for additional credentials and deployed a cron job to maintain persistent access to the Langflow host. Sysdig observed the model adapting its actions in real time to parse different file types and log into discovered endpoints.

Using credentials obtained from the initial host, the actor pivoted to a production server running MySQL and Alibaba’s Nacos configuration platform. Nacos is used in some microservice architectures and has previously been affected by authentication bypass issues and a well-known default JWT signing key that enables token forgery. According to Sysdig, the attacker connected to the production server with a payload containing root database credentials and used several vectors against Nacos: exploiting auth-bypass issues (including CVE-2021-29441), forging a JWT with the default signing key, and injecting a backdoor administrator account directly into the Nacos backing database.

The LLM-driven payloads adjusted to pass login checks, looked for User Defined Functions that can enable OS command execution, and marked tasks complete before encryption began. The attacker encrypted 1,342 Nacos service configuration items and created an extortion table in the database containing a ransom demand, a payment address and a contact email. Sysdig reports the encryption key was randomly generated during the operation but was not persisted or transmitted, preventing recovery of the encrypted data.

Captured payloads included natural-language commentary for each action, which Sysdig identifies as indicative of LLM-generated code. The firm says the model corrected its own actions when they failed, provided diagnostics and parsed free-text context from targets to take actions that required understanding rather than simple pattern matching. “During the operation, the LLM parsed free-text context presented by the target and took an action that only makes sense if that text was read and understood, rather than pattern-matched by a scanner,” Sysdig notes.

Sysdig warns that combining agentic LLM tooling with known vulnerabilities and exposed infrastructure can lower the technical barrier for complex malicious operations. The company advises organizations to harden exposed application servers, configuration stores and internet-facing database admin accounts as primary defenses.

Articles by this author

No posts found.