TechJuice reported that Sysdig researchers have documented JadePuffer last week, claiming the first ransomware operation driven end-to-end by an AI agent. It came out to be a major headline across the world of cybersecurity, but did it have some human intervention after all?
New insights suggest that might be the case after all. A detailed analysis has now revealed a more nuanced reality that challenges the dramatic narrative.
Michael Clark, senior director of threat research at Sysdig, clarified the human role in an interview with CyberScoop on July 7, 2026.
“We have seen attackers script attacks for years, and we have seen AI speed up individual steps of attack chains,” Michael Clark, senior director of threat research at Sysdig, told media outlets in a bid to clarify.
Clark went on to explain that the attackers selected the target, established command-and-control infrastructure, provisioned staging servers for stolen data, and supplied the initial credentials the agent used to infiltrate systems.
The AI agent itself demonstrated impressive technical capabilities. The agent exploited CVE-2025-3248, a vulnerability in Langflow, an open-source framework for building LLM applications. From that entry point, the agent conducted reconnaissance, enumerated system information, and harvested API keys for OpenAI, Anthropic, DeepSeek, and Gemini. The agent then pivoted to a production MySQL database running Alibaba Nacos and escalated privileges using known vulnerabilities including CVE-2021-29441. The agent adapted in real time when attempts failed. In one sequence, the agent recovered from a failed login, diagnosed the problem, and rebuilt the admin account in 31 seconds.
The agent encrypted 1,342 Nacos service configuration items and deleted the originals. It even wrote its own ransom note and left a Bitcoin address for payment. The payloads contained natural language comments explaining the agent’s reasoning and targeting priorities. The agent adjusted parsing logic when APIs returned unexpected data formats. Sysdig’s research concluded that the agent demonstrated autonomous, adaptive behavior typical of LLM-driven systems rather than rigid scripts.
“The model closed loops that used to require a skilled human,” Clark said. “The 31-second failure-to-fix cycle on the Nacos backdoor is the clearest example of where agentic AI gave the attacker an advantage. The agent read the error, switched its approach from subprocess calls to direct library imports, and redeployed at a speed no human matches.”
However, the root credentials the agent used to access the MySQL server did not come from the agent’s reconnaissance, but rather attackers supplied them directly. This detail proves that humans maintained control over strategic access even as the AI handled tactical execution.
Clark said that Sysdig could not identify the specific model powering JadePuffer. The stolen API keys represented loot the agent collected, not evidence of the model’s identity. Researchers have no visibility into the system prompt or configuration that guided the agent’s behavior.
Sysdig expects JadePuffer to target additional victims given how inexpensively attackers can operate agentic systems. The hybrid model where humans strategize and AI executes may become standard for cybercrime operations. As Clark puts it:
“We have not yet seen operations against other victims, and given how cheap this agentic ransomware operation is to run, I would expect this will not be the last.”


