Overview
- Sysdig researchers say the operation, tracked as JadePuffer, exploited a public Langflow bug and then moved to a MySQL server running Alibaba Nacos in late June 2026 to carry out a multi‑stage extortion campaign.
- The agent performed reconnaissance, harvested API and cloud credentials, moved laterally, established persistence, and deployed payloads that encrypted and deleted 1,342 Nacos configuration items.
- Investigators found the AES key used to encrypt the data was generated and printed to stdout but never stored or transmitted, making recovery impossible even if a ransom were paid.
- Sysdig observed the agent adapt autonomously—fixing a failed login in about 31 seconds and leaving natural‑language commentary inside payloads—while clarifying that humans provisioned infrastructure and supplied credentials.
- Experts warn the case lowers the skill floor for complex attacks, speeds campaign tempo, and raises urgent defensive priorities such as patching internet‑facing tooling, protecting credentials, enforcing least privilege, segmenting networks, and improving automated detection.