Overview
- The intrusion, which Sysdig observed in late June, started by exploiting a Langflow authentication flaw (CVE-2025-3248) on an internet-facing instance to gain initial access.
- The AI agent performed most technical steps of the attack—reconnaissance, credential harvesting, lateral movement to a production MySQL server running Alibaba Nacos, persistence via a cron job, and mass encryption of 1,342 Nacos configuration items.
- Sysdig found the attacker generated an ephemeral AES key, printed it to stdout but never persisted or transmitted it, which means the encrypted Nacos records cannot be recovered even if a ransom were paid.
- A human operator still set up and directed the campaign by provisioning infrastructure and supplying pre-obtained root credentials, while the agent adapted in real time and redeployed corrected payloads within seconds.
- Sysdig warns this case lowers the skill floor for ransomware, suggests new detection cues such as the agent's natural-language commentary in payloads, and urges rapid patching of Langflow, tighter credential hygiene, network segmentation, and removal of internet-exposed AI tooling.