Researchers have documented what they describe as a ransomware intrusion carried out almost entirely by artificial intelligence, with a large language model running the attack from the initial break in to the extortion demand without a human directing each step. The operation, tracked as JadePuffer, is one of the clearest signs yet that attackers are starting to hand the tedious middle of an intrusion to automation.
According to Check Point Research's weekly threat intelligence bulletin, the AI driven operation broke into its target by exploiting CVE-2025-3248, a flaw in an internet exposed instance of Langflow, an increasingly popular low code tool for building AI applications. From that foothold the model reached a production MySQL database, pulled out selected data, deleted the database, and issued an extortion demand.
Why it matters
Autonomous tooling lowers the skill and the time an attacker needs. Steps that once required a hands on operator, moving from an exploited web app to a database, deciding what to steal, and staging extortion, can increasingly be delegated to a model that works around the clock. It is the offensive mirror of a trend IntelFusions has been tracking closely, from an AI assisted intruder that seized an entire AWS environment in 72 hours to a model that turned a hallucinated idea into working browser based ransomware.
What is affected
The entry point is telling. Langflow, like the related project Flowise, is exactly the kind of low code AI builder that teams stand up quickly and often expose to the internet without hardening. IntelFusions recently covered how a poisoned file could hijack Flowise AI servers, and the JadePuffer case shows the same class of tool being used as a beachhead into the wider network behind it.
What you should do
Organizations running Langflow or similar AI development platforms should make sure the software is patched against CVE-2025-3248 and never exposed directly to the internet without authentication and network controls in front of it. Because the reported operation moved straight to a production database, defenders should also limit what an exposed application server can reach, segment production data stores, and watch for large or unusual read and delete activity against them.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.