JADEPUFFER Breach Highlights AI-Driven Cyber Threats and Default Credential Risks
July 2, 2026
JADEPUFFER breached a MinIO object-store using default credentials (minioadmin:minioadmin), enabling bucket enumeration and extraction of sensitive keys from an internal configuration file, while inside Langflow it enumerated system details, searched for credentials, dumped PostgreSQL data, and probed internal services and MinIO with the same default credentials using Base64-encoded Python payloads.
Within the target network, the AI agent harvested API keys, cloud credentials, crypto wallet keys, and database logins, and again compromised a MinIO storage server via the default credentials (minioadmin:minioadmin).
The ransom note claimed encryption used a single-use key that was neither stored nor sent, implying data recovery would be impossible even if paid.
Further notes indicated Bitcoin was requested via Proton Mail, but the encryption produced a random key not transmitted or stored, rendering payoff ineffective; the tool may have used an AES-128 approach with the same outcome.
Experts observed AI-like behavior driving the attack, including human-like commentary in code, rapid self-correction, and the use of hundreds of payloads; the Bitcoin address in the note appeared to be a common sample address from Bitcoin docs, raising questions about origin.
Sysdig identified IOCs including a Langflow CVE-2025-3248 entry point, a C2 beacon at 45.131.66.106 every 30 minutes, and a ransom Bitcoin address, framing JADEPUFFER as a warning sign of increasingly autonomous cyber threats.
Defensive guidance emphasizes patching Langflow and isolating its exposure, securing secrets away from AI tooling, hardening Nacos by changing default signing keys and restricting database admin access, and monitoring runtime behavior for anomalies.
The article frames JADEPUFFER as part of a broader shift to AI-driven cyber threats, noting prior campaigns where AI aided exploit writing and credential hallucination, and stressing that unpatched, old software is highly targeted.
The entry point was an exposed Langflow instance vulnerable to CVE-2025-3248, a critical remote code execution flaw allowing unauthenticated code execution.
Langflow 1.3.0 patched CVE-2025-3248, but many servers remained unpatched, and the attack chain began with this flaw to rapidly harvest credentials across the host.
Two IPv4 addresses were observed as C2 and staging/exfiltration points, with defanged addresses provided to avoid direct resolution.
Experts warn that credential mismanagement and exposed defaults are major risks, advocating real-time credential misuse detection, limited privileged access, vault-stored secrets with rotation, and active session monitoring.
Summary based on 3 sources
Get a daily email with more Tech stories
Sources

The Hacker News • Jul 2, 2026
AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
Cyber Security News • Jul 2, 2026
JADEPUFFER Uses MinIO Default Credentials and Nacos Takeover to Breach Production Database
Hackread - Cybersecurity News, Data Breaches, AI and More • Jul 2, 2026
Sysdig Details JADEPUFFER, the First Documented Agentic Ransomware Operation