AI Agent ransomware attack through Langflow instance by exploiting CVE-2025-3248
Sysdig researchers discovered JadePuffer, an AI agentic ransomware attack exploiting CVE-2025-3248 in a Langflow instance. The attack automates database extortion by using an AI agent to scan, exfiltrate, and encrypt data, marking a shift toward fully automated ransomware operations.
Background
- Sysdig is a cloud security company that monitors container and cloud environments for threats. Their research team discovered this attack.
- Langflow is an open-source, low-code platform for building AI applications (LLM-based workflows). It is popular among developers prototyping AI agents.
- CVE-2025-3248 is a critical-severity vulnerability in Langflow (disclosed in April 2025) that allows unauthenticated remote attackers to execute arbitrary code by crafting a malicious request. It affects versions before 1.3.0.
- This incident is notable because it's the first observed case of an AI agent being used as the ransomware payload itself — not just as a helper tool. The malware (dubbed JadePuffer by Sysdig) used an LLM agent to autonomously scan for databases, steal credentials, encrypt data, and demand a ransom, fully driven by an AI model rather than hardcoded logic.
- The attack chain: attackers scanned the internet for unpatched Langflow instances, exploited CVE-2025-3248 to gain initial access, then deployed a Python script that downloaded and ran the JadePuffer AI agent, which connected to an OpenAI-compatible API to execute its extortion campaign.
The FBI has seized hundreds of domains linked to NetNut, a residential proxy service owned by Israeli firm Alarum Technologies, following an investigation connecting NetNut to the Popa botnet—a network of at least two million compromised devices.
Researchers have linked the Android-based Popa botnet, which has compromised millions of TV boxes for advertising fraud and data scraping over four years, to NetNut, a residential proxy provider owned by the publicly-traded Israeli firm Alarum Technologies Ltd.