Back to Blog

JADEPUFFER and Langflow: Why AI Agent Workflows Need Governed Data Paths

Share
X
Abstract illustration of governed data pathways and controlled flow

When an LLM-driven agent can reach MinIO buckets, dump workflow credentials, and encrypt a production configuration store, AI agent platforms become high-value data-movement infrastructure — with the same custody, identity, and destination-policy requirements as any other path that moves regulated content.

On July 1, 2026, the Sysdig Threat Research Team published research on JADEPUFFER, which they assess as the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model rather than a human-operated toolkit. The Hacker News and SecurityWeek covered the same findings in early July. The entry point was an internet-facing Langflow instance; the impact landed on object storage, credentials, and a production configuration database.

What happened

Langflow is an open-source framework for building LLM applications and agent workflows. JADEPUFFER gained initial access by exploiting CVE-2025-3248 (CVSS 9.8), a missing-authentication flaw in Langflow’s code validation endpoint that allows unauthenticated arbitrary Python execution on the host. The vulnerability had been disclosed and patched earlier, but internet-exposed instances remained reachable. Sysdig notes that Langflow hosts are attractive entry points because they sit next to AI tooling, often hold provider API keys and cloud credentials in their environment, and are frequently stood up without network controls.

After code execution, the agent enumerated the host and swept for secrets in parallel: LLM provider keys (OpenAI, Anthropic, DeepSeek, Gemini, and others), cloud credentials for AWS, GCP, Azure, and Chinese providers tagged with prefixes such as ALIBABA_, ALIYUN_, TENCENT_, and HUAWEI_, cryptocurrency wallets, database credentials, and configuration files. It dumped Langflow’s own Postgres backing store — harvesting stored credentials, API keys, and user records — staged the output locally, reviewed it, then deleted the staging files. It scanned the internal address space for databases, object storage, secret stores, and service-discovery endpoints.

The object-store phase is especially relevant to data movement. The agent probed MinIO, an S3-compatible store commonly used for application data, backups, ML artifacts, and infrastructure state, at both minio.internal:9000 and 127.0.0.1:9000. Using default credentials minioadmin:minioadmin, it listed buckets (including a terraform-state bucket and internal config storage), listed objects, and fetched credentials.json and .env by name. When a request that expected JSON returned XML, the agent adapted its parser to the S3 schema and reissued the call. Escalation was progressive: anonymous health check, admin API info, authenticated ListBuckets, then targeted GetObject on credential-like filenames. Persistence on the Langflow host used a crontab entry that beaconed to attacker infrastructure every 30 minutes.

Captured artifacts show the true objective was a separate production server running MySQL and Alibaba Nacos (a naming and configuration service common in microservice stacks). The agent connected to the exposed MySQL port as root; Sysdig reports it did not observe where those credentials were harvested, so their origin remains unknown. Against Nacos, payloads used multiple vectors at once: the auth-bypass family associated with CVE-2021-29441, JWT forgery via Nacos’s long-documented default signing key, and insertion of a backdoor administrator into the Nacos database with root MySQL access.

In the ransomware phase, the agent encrypted 1,342 Nacos configuration items using MySQL AES_ENCRYPT, created a ransom table named README_RANSOM, and left a Bitcoin address and contact email. The encryption key was generated ephemerally and never persisted or transmitted, which blocks recovery even if the ransom is paid. Captured payloads show escalation from row-level deletion to dropping entire schemas, with self-narrating natural-language reasoning and real-time adaptation — including a sequence Sysdig describes as moving from a failed login to a working fix in 31 seconds.

Why this matters

Security programs often inventory AI tools as developer productivity software. JADEPUFFER treats Langflow as a privileged platform that can discover object stores, pull infrastructure state, and destroy configuration data at machine tempo. The MinIO enumeration alone shows how an agent workflow host becomes a transfer path: default credentials, bucket listing, and targeted retrieval of credentials.json and terraform-state are classic custody events, even when the product label is “agent builder.”

For regulated organizations — healthcare, manufacturing, defense supply chains, financial services, and any team subject to HIPAA, CMMC, SOC 2, or contractual chain-of-custody clauses — the risk is twofold. Teams evaluating AI agent governance for regulated data movement should treat workflow hosts as first-class movement surfaces. First, AI workflow hosts concentrate secrets that unlock other systems. Second, once those secrets open object storage or production databases, the agent can move and destroy data without a human operator in the loop. Detection tuned for malware implants or slow human-operated ransomware will miss adaptive sequences measured in seconds.

The pattern also connects to earlier campaigns that abused legitimate administration and transfer tools. Affiliates using rclone or S3 Browser as exfiltration paths, and agents that call MinIO APIs with default admin credentials, share a structural property: the path that can push or pull high-value content is treated as ambient infrastructure until something breaks. JADEPUFFER adds autonomy and self-correction on top of that gap.

The architectural issue underneath

AI agent platforms split concerns that governance has to rejoin:

  • Identity of the agent and of the human or service that authorized it.
  • Secrets and credentials the agent is allowed to hold or request.
  • Destinations the agent may read or write — object buckets, databases, partner APIs, model providers.
  • Evidence that a movement or destructive action occurred under a stated policy.

When Langflow (or any peer tool) stores long-lived provider keys in the process environment, sits on a network path to MinIO and MySQL, and exposes code-execution surfaces to the internet, those four concerns collapse into a single compromised host. Cloud-side disablement of a portal account would not have helped here; the agent already had Python execution and default storage credentials on the inside.

Nacos and similar configuration stores illustrate a second failure mode. Dynamic configuration is operational data. Encrypting 1,342 config items is both an availability attack and a custody failure: the organization loses control of what services trust and how they connect. Systems that hold that class of content need the same blast-radius discipline as file-transfer gateways and clinical document portals.

What regulated teams should take from this

Treat AI agent workflow platforms as governed data-movement infrastructure on the same tier as MFT systems and secure file transfer, hybrid file gateways, and remote administration tools. The same boundary discipline applies to MCP tool connectors and other agent orchestration surfaces.

  • Inventory internet-facing agent builders — Langflow and similar products should have known owners, known versions, and known exposure. Unauthenticated code paths and validation endpoints must not face the public internet.
  • Scope secrets away from the web process — provider API keys and cloud credentials should live in a secrets manager with least privilege, not ambient environment variables on the orchestration host.
  • Harden object storage reachable from workflow hosts — rotate off default MinIO credentials, constrain which buckets agent hosts may list or read, and alert on GetObject for credential-like and state-like keys.
  • Require movement-level evidence — retrieval of configuration packages, infrastructure state, or credential files should produce a durable record of principal, classification, destination, policy decision, and time that survives after the host is isolated.
  • Include configuration platforms in ransomware models — Nacos, service registries, and dynamic config databases hold production connectivity. Protect admin ports, change default signing keys, and never expose root database access on the internet.
  • Watch adaptive sequences — failed authentication followed by a corrected attempt within seconds, progressive object-store enumeration, and rapid schema changes with self-narrating process artifacts deserve the same priority as traditional ransomware staging.

Patching CVE-2025-3248 is necessary but insufficient on its own. The architectural controls above still matter when the next agent workflow product ships a different RCE or when credentials are stolen through a compromised integration.

Questions worth asking this week

  • Which AI workflow platforms in our environment store LLM provider keys or cloud credentials, and what is the narrowest scope those credentials actually require?
  • Can any workflow host reach MinIO or other S3-compatible stores with default credentials or overly broad roles?
  • If an agent retrieved terraform-state, credentials.json, or a database dump this month, would we have a movement-level record suitable for audit or regulator review?
  • Are Nacos, Langflow, and similar configuration and workflow stores included in the same threat model as primary data stores for ransomware and extortion scenarios?
  • Do detection rules surface rapid adaptive sequences — failed login followed by success in under a minute — on database and object-store endpoints?

Closing thought

JADEPUFFER used an exposed Langflow host to harvest secrets, enumerate object storage, and encrypt production configuration data under LLM control. The techniques are familiar; the operator is an adaptive agent that chains them without waiting for a human on the keyboard. That makes every credential store and object path reachable from the agent platform a custody surface.

Govern those paths with identity bound to the transfer, destinations constrained by policy, and evidence that holds after isolation. Agent builders that can list buckets and dump config already sit on the data-movement plane — treat them accordingly before the next automated campaign arrives.

Sources