Recently, reports about the first "AI agent ransomware" called JadePuffer have drawn widespread attention in the cybersecurity community. Previously, some opinions suggested that this attack was entirely carried out by AI without human supervision. However, the latest clarification from cloud security vendor Sysdig has provided a clearer picture of the incident: although AI demonstrated remarkable automation capabilities in technical execution, the core role of humans remains irreplaceable.
According to a detailed analysis by Michael Clark, senior director of threat research at Sysdig, JadePuffer was not an "entirely autonomous" operation. The human operators behind the attack still played a central role in strategic decision-making, including configuring command and control servers, establishing data relay chains, and most importantly, identifying attack targets and providing initial access credentials. These credentials were not obtained by AI on its own, but were instead stolen through previous attacks and manually fed to the AI for task execution.
Nevertheless, JadePuffer's performance in the technical execution phase is still alarming. This AI agent successfully breached defenses by exploiting known vulnerabilities in the Langflow application. Once inside the production environment, it demonstrated high processing efficiency: it could autonomously move laterally within the network, steal sensitive data, and even analyze errors, adjust parameters, and try again within 31 seconds when operations were blocked. Throughout this process, it included natural language code comments to explain its "reasoning process." After encrypting more than 1,300 configuration records, it could also automatically generate a ransom note.
Regarding the model that drives this AI agent, there is currently no consensus. Although API keys from OpenAI, Anthropic, DeepSeek, and Gemini were found during the attack, further verification showed that these were merely stolen "assets" of the AI agent, not the core driving force of the model. Industry researchers speculate that this might be an open-source weight model that had its safety alignment restrictions removed.
This incident highlights a black market model of "human-machine collaboration," further lowering the threshold for cyberattacks. As security experts have warned, although AI still cannot complete strategic planning without human instructions, as the cost of automation continues to decline, such agent-based attacks that can rapidly iterate and autonomously overcome technical obstacles may evolve into larger-scale threats in the future. For enterprises, in addition to preventing the misuse of AI technology, they should also focus on fundamental defense measures such as fixing core interface vulnerabilities and implementing minimal privilege management to break the chain of destruction caused by such automated attacks.
