Sysdig's Threat Research Team published research in July 2026 documenting JADEPUFFER, the first ransomware operation fully executed by an LLM agent — no human operator required at any step after initial access.
Sysdig's Threat Research Team published research in July 2026 documenting JADEPUFFER, the first ransomware operation fully executed by an LLM agent — no human operator required at any step after initial access.
Sysdig's Threat Research Team documented the first fully agentic ransomware operation: an LLM-driven attacker that exploited Langflow, pivoted to a production Nacos instance, and encrypted 1,342 database configurations without human direction at any step.
Sysdig has documented JADEPUFFER, a threat actor that used an LLM agent to drive an entire ransomware operation autonomously — from Langflow exploitation through database encryption. The attack encrypted 1,342 production configuration items using an ephemeral key that makes recovery impossible.