Resources

Sysdig Confirms JADEPUFFER, the First Fully Autonomous LLM-Driven Ransomware Campaign: What UK Schools, Charities and SMBs Should Do in the Six Days Before the Cyber Security and Resilience Bill's Lords Second Reading on 14 July 2026

Sysdig published its JADEPUFFER threat report on Tuesday 7 July 2026 - the first documented case of a ransomware operation in which every hands-on-keyboard step, from reconnaissance through credential theft, lateral movement, privilege escalation and destructive database extortion, was executed by an autonomous large-language-model agent. The operator picked the target and set the goal. The AI did the rest, moving from a failed login to a working credential in thirty-one seconds at one point in the captured session. The initial foothold was an internet-facing Langflow instance unpatched against CVE-2025-3248, a missing-authentication bug fixed by the vendor in April 2025. The agent then pivoted to a production MySQL and Alibaba Nacos server via CVE-2021-29441. Both patches were public. Three jobs fit the six days before the Cyber Security and Resilience Bill's Lords second reading on Tuesday 14 July 2026: inventory every LLM app running against your data on Friday 10 July, audit the credential each one holds the same afternoon, and on Tuesday 14 July write down the one paragraph that says what each AI agent can and cannot do and who owns the exceptions.

Key takeaways

  • Sysdig's threat research team published a report on Tuesday 7 July 2026 describing JADEPUFFER - the first documented case, on the public record, of a ransomware operation in which every hands-on-keyboard step from initial access to encryption was executed by an autonomous large-language-model agent rather than a human. The operator picked the target, provided the tools and set the goal. The AI agent handled reconnaissance, credential theft, lateral movement, persistence, privilege escalation and destructive database extortion end-to-end, retrying failed steps in real time - in one captured sequence it went from a failed login to a working credential in thirty-one seconds.
  • The vector generalises further than the branding. JADEPUFFER's initial foothold was an internet-facing Langflow instance - Langflow is a popular open-source framework for building LLM applications - through CVE-2025-3248, a missing-authentication vulnerability disclosed in April 2025, fixed by the vendor the same month and added to CISA's Known Exploited Vulnerabilities catalogue in May 2025. From the Langflow foothold the agent pivoted to a production MySQL and Alibaba Nacos server and exploited CVE-2021-29441, a Nacos authentication-bypass flaw from 2021. Both vulnerabilities were public. Both had been patched by the vendor. Neither would have been present in a routinely patched estate.
  • Translation for UK schools, charities and SMBs: almost none of you run Langflow or Nacos directly. But almost all of you have quietly stood up an LLM application layer over the last twelve months - the Copilot pilot the finance team started, the Claude sub-agent your fundraising lead uses to draft grant applications, the LangChain script an IT contractor wrote to summarise safeguarding logs, the Ollama instance a governor set up to run a local model, the Zapier workflow with an AI node that touches the school MIS, the n8n automation that categorises donations, the ChatGPT team plan that has an integration into SharePoint. Every one of these is an AI application. Every one of them holds a credential to something. If the credential is scoped too broadly, the JADEPUFFER pattern is what the next unpatched AI app on the public internet looks like from the inside.
  • The Cyber Security and Resilience (Network and Information Systems) Bill has its Lords second reading on Tuesday 14 July 2026 - six days from the Sysdig disclosure. The Bill widens the incident-reporting scope of the NIS Regulations to bring medium and large managed service providers explicitly into the frame. Your IT MSP, your school-MIS hosting partner, your finance-bureau outsourcer and your fundraising-platform provider are all in that frame. The Qantas confirmation last week put the supplier-side help-desk layer on the record. JADEPUFFER puts the supplier-side AI-application layer on the record one week later.
  • Three jobs fit the six days before the Lords sit on 14 July. Job one, Friday 10 July, roughly one hour: produce a one-page inventory of every LLM application running against your data - tool name, credential it holds, owner, last patched, URL. If any entry is reachable from the public internet, put it behind SSO or an IP allow-list before Friday afternoon. If any entry has not been patched in the last thirty days, patch it. Job two, the same afternoon, thirty minutes: four questions on every credential - what does it unlock, is that scope wider than needed, is it long-lived and static or short-lived and rotating, and can a long-lived credential be swapped for a workload identity today. Job three, Tuesday 14 July, thirty minutes over lunch while the Lords is sitting: write down the one paragraph that names what each AI agent can access, what it cannot, and which human on your leadership team approves the exceptions - and add that paragraph to your DUAA Section 164A complaints-inbox owner's remit as the new AI-agent accountability line.

Sysdig's threat research team published a write-up yesterday, Tuesday 7 July 2026, of a campaign it has named JADEPUFFER — the first documented case, on the public record, of a ransomware operation in which every hands-on-keyboard step from initial access to encryption was executed by an autonomous large-language-model agent rather than a human. The Sysdig report was picked up overnight by The Hacker News, BleepingComputer, Dark Reading, SecurityWeek, Infosecurity Magazine, SC Media, Security Boulevard and Cybersecurity Magazine. The operator handed the agent a target, a set of tools and a natural-language goal. The agent handled the reconnaissance, credential theft, lateral movement, persistence, privilege escalation and destructive database extortion end-to-end, retrying failed steps within seconds when they did not work. In one of the captured sequences the agent moved from a failed login attempt to a working credential in thirty-one seconds. That is faster than any human operator gets through a coffee.

The Cyber Security and Resilience (Network and Information Systems) Bill has its second reading in the Lords in six days, on Tuesday 14 July 2026. The Bill's second reading has been the calendar bracket on this blog since post twenty-six and it stays the bracket here. Six days is short. This post walks through three jobs sized to fit inside it — one on Friday 10 July, one the same day, one on Tuesday 14 July — that translate the JADEPUFFER pattern into work UK schools, charities and small-and-medium businesses can actually do this week, none of which requires new spend and none of which requires an in-house AI specialist.

The vector is worth stating plainly because the vector, not the branding, is what generalises. JADEPUFFER's initial foothold was an internet-facing Langflow instance — Langflow is a popular open-source framework used to build LLM applications by wiring together components in a visual editor — through CVE-2025-3248, a missing-authentication vulnerability disclosed in April 2025, fixed in Langflow version 1.3.0 the same month and added to CISA's Known Exploited Vulnerabilities catalogue in May 2025. The bug has therefore been publicly patched for fifteen months. From the Langflow foothold the agent pivoted to the intended target, an internet-exposed production server running a MySQL database and an Alibaba Nacos configuration service. It targeted Nacos with CVE-2021-29441, an authentication-bypass flaw from 2021 that lets an attacker create rogue administrator accounts. It exfiltrated the MySQL data, encrypted the copies still on disk and dropped a ransom note that reads like an LLM has written it, because an LLM did.

Three things about that chain matter more than any one of them on its own. First, both vulnerabilities were public, both were patched by the vendor, both had been on public advisories for months, and neither would have been present in a routinely patched estate. This is the same shape as the FortiBleed campaign the NCSC alerted on last month and the same shape as the LiteLLM CVE‑2026‑42208 patch the audience walked through in the spring: the vendor did their job, the operator did not deploy the patch, the attacker walked through the door. Second, the AI agent did not do anything a skilled human intruder cannot do. It just did it faster, in the small hours, without needing sleep, without needing a salary, without a mistake pattern a defender could recognise. Third, and this is the point NCSC and the Five Eyes made in their agentic-AI advisory in the spring, the destructive layer of the intrusion succeeded because the service-account credentials the agent found on the compromised Langflow box had far more scope than they needed. The Langflow box was the front door. The database credentials sitting on it were the master key to a room a long way from the front door.

The audience translation is straightforward and, in our experience across UK schools, charities and SMBs, more urgent than it looks. Very few of you run Langflow or Nacos directly. But almost all of you have quietly stood up an LLM application layer over the last twelve months — the Copilot pilot the finance team started, the Claude sub-agent your fundraising lead is using to draft grant applications, the LangChain script one of your IT contractors wrote to summarise safeguarding logs, the Ollama instance a governor set up to run a local model, the Zapier workflow with an AI node that touches the school MIS, the n8n automation your donations bureau uses to categorise gifts, the ChatGPT team plan that has an integration into SharePoint. Every one of these is an AI application. Every one of them holds a credential to something. If the credential is scoped too broadly, the JADEPUFFER pattern is not exotic — it is what the next unpatched AI app on the public internet looks like from the inside.

The Bill's Lords second reading on 14 July matters here for a specific reason. The Bill widens the incident-reporting scope of the NIS Regulations to bring medium and large managed service providers explicitly into the frame, and the GOV.UK "relevant managed service providers" factsheet already tells your IT MSP, your school-MIS hosting partner, your finance-bureau outsourcer and your fundraising-platform provider that they will be on the hook for incidents that involve their infrastructure. The Qantas confirmation last week put the supplier-help-desk layer on the record. JADEPUFFER puts the supplier's AI-application layer on the record too, one week later.

Job one, sized for a Friday morning on 10 July and roughly an hour of one person's time. Produce a one-page inventory of every LLM application running against your data. Include the ones your board does not know about. Ask each team lead the question directly, in plain English: are you using any tool that sends our data through an AI model or that lets an AI model take actions on our systems. Write down the tool name, the credential it holds, the person who owns it, the date it was last patched and the URL it is reachable at. If any entry on that list is reachable from the public internet, put it behind SSO or an IP allow-list before you close the laptop on Friday afternoon. If any entry has not been patched in the last thirty days, patch it. That is the same thirty-day patching cadence the audience has been running on the perimeter since spring. It is the same cadence for the AI layer. The one-page inventory itself lives on the Cyber Resilience Pledge Action 1 board-ownership page that the audience has already stood up.

Job two, the same Friday, roughly thirty minutes on top of Job One. Take every credential on that one-page inventory and answer four questions about it. One: what does the credential unlock — a single mailbox, a folder in SharePoint, a school MIS role, a Stripe read key, the whole finance-bureau database. Two: is the answer to question one wider than the AI application actually needs to do its job. Three: is the credential a long-lived static credential or a short-lived rotating one. Four: if it is long-lived and static, can it be replaced today with a short-lived one or a workload identity that only works from the specific machine the AI app runs on. The pattern JADEPUFFER exploited on the Nacos server — a service account with root-shaped scope, sitting on a box the agent had already compromised — is the pattern all four of these questions are designed to catch. NCSC's phrase is "least privilege". Post nineteen walked through what "least privilege" means for an AI agent. This is the thirty-minute audit that operationalises it.

Job three, Tuesday 14 July, roughly thirty minutes over lunch while the Lords second reading is running in the afternoon. For every AI agent your organisation runs — Copilot, Claude, Gemini, a custom LangChain script, a bespoke chat app your governors' clerk set up — write down the one paragraph that says, in plain English, three things: what the agent can access, what it cannot access, and which named human on your leadership team approves the exceptions. Add that paragraph to the remit of the Section 164A complaints-inbox owner your organisation named on 19 June as their new "AI-agent accountability" line. The named human does not need to be the person who understands the model. They need to be the person who owns the answer when the model does something the organisation did not expect. This is the "plan for failure" line the NCSC agentic-AI advisory has been pressing on since April.

There are three predictions this post is not making. First, the reporting is clear that the JADEPUFFER operator was a human who supervised the agent — the human picked the target, provided the tools and set the goal. Nobody has yet published evidence of an entirely autonomous-in-the-wild campaign in which the AI also picked the victim. This post does not predict when that lands. Second, the ICO's measured-approach signal on early DUAA enforcement is on the record and this post does not read more into it than that. We do not know how the ICO will treat AI-agent failures as personal-data incidents under the DUAA framework and we are not going to guess. Third, no UK school, charity or SMB has been publicly named as a JADEPUFFER victim, and the specific Langflow/Nacos combination is not one this audience typically runs. The point of the post is not to name a UK casualty. It is to name the pattern and get the audience three days ahead of it.

Six days is enough time to do the three jobs above. If you would rather do them with us in the room, our cybersecurity resilience service works through this exact inventory-audit-accountability sequence with UK schools, charities and SMBs in a single half-day, and our discovery call is thirty minutes with a real person and no obligation. Whichever route you take, please have a named owner for the AI-application inventory by the time the Lords sits on Tuesday afternoon. That name on the page is the piece of paper the next post will be able to build on.

Written by Boris Didov