Sysdig Says AI Ransomware Still Needed Human Setup
Sysdig described JadePuffer as agentic ransomware, but Michael Clark said a human still chose the victim, provisioned infrastructure and supplied database credentials before the AI agent executed the attack.

Sysdig Says JadePuffer Used An AI Agent But Still Needed Human Setup
Sysdig researchers described JadePuffer as agentic ransomware, but the operation still depended on a human operator to choose the victim, provide infrastructure and hand over database credentials before the AI agent carried out the intrusion.
Michael Clark, Sysdig's senior director of threat research, said in a Monday interview that a person set up the command-and-control server, staging server and target selection.
He said the credentials used to enter the victim's database came from a prior compromise rather than from the agent itself.
That distinction narrows the claim around the AI-run ransomware attack without removing the security risk.
Sysdig's account says the agent handled the technical execution after setup: it entered through a known Langflow bug, moved to a production MySQL server, exploited another known flaw for admin access and encrypted more than 1,300 configuration records.
Langflow And MySQL Flaws Were Used Before File Encryption
Sysdig said JadePuffer began with a vulnerable Langflow host.
Langflow is an open-source tool for building LLM applications, and Sysdig said the agent used a known bug there before moving deeper into the environment.
The agent then reached a production MySQL server and used a separate known flaw to obtain admin access.
Sysdig said it encrypted more than 1,300 configuration records, wrote its own ransom note and left a Bitcoin address for payment.
The disclosed techniques were not described as novel exploits.
Sysdig's account points instead to the agent's speed and autonomous execution once the operation had been prepared by a person.
Sysdig said the agent repaired a failed login in 31 seconds while narrating its reasoning in natural-language code comments.
Stolen API Keys Did Not Identify The Model Behind JadePuffer
Clark also clarified a separate point about the models involved.
He had said Sysdig found harvested keys for OpenAI, Anthropic, DeepSeek and Gemini, but later said those keys were loot from the compromised host rather than proof that several models ran the attack.
Clark said by email that the agent searched the Langflow host for provider API keys, cloud credentials, cryptocurrency wallets and database configurations.
He said the keys showed what the attacker considered worth stealing, but did not show which model made the operational decisions.
Sysdig has not identified the specific model that drove JadePuffer.
Clark said the company also lacks visibility into the system prompt or configuration used for the agent.
That leaves the central tooling question unresolved even though the intrusion path and the human setup role are clearer.
Open-Weight Model Theory Remains Unconfirmed
Microsoft researcher Geoff McDonald suggested on LinkedIn that an open-weight model with safety training stripped out may have powered the operation.
His view was based on red-teaming experience that frontier labs' safety layers hold up well, but Sysdig's account did not confirm or rule out that theory.
McDonald also warned that ransomware campaigns could become bounded more by attacker budget than by human labour, with thousands or tens of thousands of simultaneous campaigns becoming possible.
Clark's description adds a constraint to that scenario because the operation still required a person to pick a victim, prepare infrastructure and supply credentials.
Clark told CyberScoop that Sysdig had not seen the same operation hit other victims yet.
He said low agent-running costs could change that, but the company did not identify the victim, name the model, publish the system prompt, disclose the prior credential compromise, or confirm other JadePuffer infections.


















