← Blog

JadePuffer, Agentic Ransomware, and What It Changes About AI Egress

On July 1, 2026 Sysdig disclosed JadePuffer, the first documented ransomware operation run end to end by an LLM agent: initial access through a Langflow RCE and a Nacos auth bypass, then autonomous recon, credential theft, lateral movement, and database extortion, with the agent self-correcting a failed subprocess call in 31 seconds with no human in the loop. The one control that sits inside an AI gateway's boundary is the outbound model traffic the agent depends on to think.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
Problem-Awareagentic-aiai-securitycybersecurityllm-securityinline-enforcement
JadePuffer, Agentic Ransomware, and What It Changes About AI Egress

On July 1, 2026, Sysdig's Threat Research team disclosed JadePuffer, the first documented ransomware operation run end to end by a large language model agent. The chain started with a Langflow remote code execution flaw (CVE-2025-3248) and a Nacos authentication bypass (CVE-2021-29441). From there the agent ran its own reconnaissance, stole credentials, moved laterally, escalated privilege, and extorted a database. At one point a subprocess call failed on a PATH error, and the agent switched to a direct bcrypt import and continued, in 31 seconds, with no operator watching.

I want to be precise about which part of this an AI gateway can see and which part it cannot, because the honest answer is narrow and it is also the useful one.

What JadePuffer actually did

Sysdig's write-up, corroborated by CyberScoop and The Hacker News, describes an attacker who wired an LLM into the operator seat. The model was the decision-maker. It read command output, chose the next step, wrote the code, and recovered from its own errors. The human set it running.

Two vulnerabilities opened the door. The Langflow RCE gave code execution on an exposed AI development server. The Nacos auth bypass gave configuration and service access. Neither is novel, and both had patches available. What is new is the operator: a model that turned two ordinary bugs into a full kill chain without a person driving each step.

The endpoint mechanics sit outside an AI gateway

I run the boundary check on every incident before I claim a control helps with it. Most of what JadePuffer did happens on the endpoint. The encryption, the lateral movement over SMB, the privilege escalation, the subprocess execution: none of that flows through HTTP AI traffic between a user and a model. An enforcement proxy in front of LLM APIs has no view of it, and pretending otherwise would be the kind of hand-waving the reader sees through.

Endpoint detection, network segmentation, and prompt patching own that surface. I covered a related pattern, an attacker operating an LLM as post-exploitation tooling, in the Marimo CVE-2026-39987 breakdown. The endpoint controls there are the same ones that matter here.

The one thread that runs through AI traffic

There is a part of JadePuffer that does flow through AI traffic, and it is load-bearing. The agent has to reach a model to think. Every decision the agent made came from a model call. Cut the agent off from inference and the autonomy stops.

That dependency is observable at the AI request boundary in two ways:

  • An unrecognized in-environment identity making model calls. A production host that suddenly originates a stream of LLM requests, at machine tempo, is an anomaly an identity-aware policy can flag. The traffic pattern of an agent reasoning through a kill chain looks nothing like the application traffic the host normally sends.
  • The content of what the agent asked the model to do. Requests that ask a model to write credential-harvesting code, enumerate a database, or draft an extortion note are visible in the prompt, which is exactly the layer that inline inspection reads and application-layer and network DLP do not.

I made the machine-speed case in why AI security must be inline. Google Mandiant's M-Trends 2026 report put the median time from initial access to handoff at 22 seconds in 2025, down from over eight hours in 2022. JadePuffer's 31-second self-correction is the same clock. Asynchronous review that fires minutes later reads as a post-mortem.

The forensic record is the second half

Prevention is only part of the value at the AI boundary. The other part is evidence. When an agent runs an attack, the responders' first question is what it did, and the second is what it was trying to do. A per-decision audit record of the model calls answers the second question directly: here is every prompt the hostile identity sent to a model and every response it got back.

That record is the reasoning transcript of the attack. It shows the agent asking how to bypass the Nacos check, how to recover from the PATH error, how to phrase the extortion demand. Standard host and network logs capture actions. The AI request log captures intent, at a resolution nothing else in the stack holds. I keep a running view of incidents like this in the agentic AI news tracker.

What to change now

Two moves follow from JadePuffer, and they map to the two halves above. First, treat outbound LLM traffic from production infrastructure as a monitored channel with an identity attached, not as anonymous egress. A server that starts talking to a model is a signal. Second, record every AI request with the identity behind it, so that when an agent does get loose, the transcript of what it asked exists before you need it.

Neither move stops endpoint ransomware on its own. Both give you a control point and an evidence source on the one dependency an LLM-run attack cannot avoid.

DeepInspect

This is the problem DeepInspect was built to solve on the AI-traffic side. DeepInspect sits inline between the identities in your environment and the LLM APIs they call. For every request it evaluates who is asking, whether that identity is recognized and permitted to make model calls on this route, and what the prompt contains, before the traffic reaches the model. An unrecognized production identity generating inference traffic at machine speed is precisely the pattern it is positioned to flag and fail closed on.

Every request also produces a signed, per-decision audit record: the identity, the route, the policy in effect, the decision, and a timestamp. For an agentic attack, that record is the reasoning trail, the log of what the hostile agent asked a model to do, committed independently of the compromised host.

DeepInspect does not stop the encryption or the lateral movement; those live on the endpoint. It watches and records the model traffic the agent depends on to operate at all. If you are assessing how an autonomous agent would look inside your environment, let's talk today.

Frequently asked questions

What is agentic ransomware?

Agentic ransomware is a ransomware operation where a large language model agent, rather than a human operator, drives the attack chain: reconnaissance, credential theft, lateral movement, privilege escalation, and extortion. Sysdig's JadePuffer, disclosed July 1, 2026, is the first documented end-to-end case. The distinguishing feature is autonomy. The model reads command output, decides the next action, writes the code, and recovers from its own failures without a human in the loop, which compresses the attack timeline and removes the pauses defenders often rely on to intervene.

Can an AI gateway stop ransomware like JadePuffer?

Not the endpoint half of it. The encryption, lateral movement, and privilege escalation happen on hosts and networks that an AI-traffic proxy never sees, so endpoint detection and segmentation own that surface. What an AI gateway addresses is the agent's dependency on model access. The agent must send inference requests to reason, and those requests carry an identity and a prompt. An identity-aware gateway can flag an unrecognized production host generating model traffic and record every request for forensics. It is a control on one necessary channel and an evidence source, not a replacement for endpoint defense.

How does monitoring AI egress help against autonomous agents?

An autonomous agent cannot function without reaching a model, so its inference traffic is a chokepoint. Monitoring AI egress with identity context surfaces two signals: a workload that begins originating LLM requests when it never did before, and prompt content that describes hostile actions such as credential harvesting or data enumeration. Both are visible at the request layer and invisible to network DLP, which sees only encrypted traffic to a provider domain. Recording that egress also produces a transcript of the agent's reasoning, which shortens investigation and shows intent, not just executed actions.

Were the vulnerabilities in JadePuffer new?

No. The initial access used a Langflow remote code execution flaw (CVE-2025-3248) and a Nacos authentication bypass (CVE-2021-29441), both known and both patchable before the attack. The novelty is the operator. An LLM agent chained two ordinary vulnerabilities into a complete ransomware operation and self-corrected mid-attack in about 31 seconds. The lesson is less about the specific CVEs and more about how autonomous tooling lowers the skill and time required to turn routine unpatched bugs into a full compromise.