Skip to content

Securing AI Agents: The New Attack Surface

In July 2026, an AI agent ran a ransomware attack end to end by exploiting Langflow. Here is what happened, why agents are a bigger attack surface, and how to build safely.

Updated
5 min read
As featured inBloombergTechCrunchForbesThe VergeBusiness Insider
Editorial illustration for Securing AI Agents

The short version

In early July 2026, the security firm Sysdig documented what it calls the first ransomware operation run end to end by an autonomous AI agent. The agent, part of a campaign Sysdig named JADEPUFFER, broke into a server, harvested credentials, moved laterally, encrypted data, and wrote its own ransom note, adapting to obstacles as it went. It got in by exploiting Langflow, a popular open-source framework for building LLM apps and agent workflows.

The important detail is not that AI wrote the ransomware. It is that the same properties that make AI agents useful (they can browse, run code, call APIs, and act without a human in the loop) are exactly what make them a new and larger attack surface. If you are building with agents, the threat model changed this month.

What actually happened

Sysdig's Threat Research Team published the JADEPUFFER analysis around July 1, 2026. The technical facts are specific and worth stating plainly:

  • The entry point was CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow rated CVSS 9.8. A patch shipped in April 2025 and CISA added the bug to its Known Exploited Vulnerabilities list in May 2025. The victim had not patched.
  • Once inside, the agent encrypted 1,342 Nacos service configuration items and deleted the originals.
  • When an admin-account login failed, the agent diagnosed the problem and issued a working fix in 31 seconds.
  • More than 600 payloads carried plain-language comments narrating the agent's own reasoning as it worked.

TechCrunch's headline was the necessary counterweight: "The 'first' AI-run ransomware attack still needed a human." As TechCrunch put it, "a human still chose the victim, set up the infrastructure, and supplied stolen credentials." So this was not a fully autonomous attacker materializing from nothing. It was a human operator who handed the tactical execution to an agent, and the agent handled it competently.

That is the part to sit with. The human did the strategy. The agent did the work. That division of labor is going to get more capable, not less.

Why agents are a bigger attack surface

An ordinary chatbot answers questions. An agent takes actions: it can read files, run shell commands, query databases, call third-party APIs, and chain those steps toward a goal. Every one of those capabilities is a tool, and every tool is a way for an attacker to turn a language problem into a systems problem.

The OWASP Top 10 for LLM Applications makes the two core risks explicit:

  • Prompt injection (LLM01) has held the number one spot for two consecutive editions. The root cause is structural: LLMs process instructions and data in the same channel with no clean separation. When an agent has tools wired in, a successful injection "may grant unauthorized access to functions that can execute arbitrary commands in connected systems."
  • Excessive agency (LLM06) is what happens when a model is granted too much autonomy, too many permissions, or too much functionality, leading to actions beyond its intended scope.

In late 2025 OWASP went further and published a separate Top 10 for agentic AI systems, because the blast radius of a single injection expands dramatically once the model can act. JADEPUFFER is that expansion made concrete: an unpatched tool, an over-capable executor, and a goal.

What this means if you build with agents

The lesson is not to stop using agents. It is to treat an agent like what it is: a piece of software with credentials and the ability to act. Three moves matter most.

Patch the tools your agents run on. The Langflow flaw was known, scored 9.8, and had a patch and a CISA warning more than a year before this attack. The agent did not defeat a hardened target. It walked through an open door. Your agent stack (the frameworks, the vector stores, the MCP servers, the orchestration layer) is now part of your attack surface, and it needs the same patch discipline as the rest of your infrastructure.

Give agents the least privilege that still works. Excessive agency is the risk you control directly. Scope each tool, each credential, and each API key to the narrowest permission the task needs. An agent that can read one table cannot encrypt 1,342 config items. The default of handing an agent broad access "so it can figure things out" is the default that turns a prompt injection into an incident.

Treat every input as untrusted. Prompt injection works because the model cannot tell instructions from data. Anything an agent ingests (a web page, a document, a tool response, a user message) can carry a hostile instruction. Isolate tool execution, require human confirmation for irreversible actions, and log what the agent actually did, not just what it was asked to do.

The tooling is catching up

Two categories of software are converging on this problem. The first is application and code security, where AI-native scanners now look for exactly the kind of unpatched, exploitable flaw that let JADEPUFFER in. The second is a young class of agent-security and LLM-observability tools built to watch what an agent does at runtime, catch injections, and enforce guardrails on tool use.

If you are shipping agents to production, the honest position is that the capability is running ahead of the safety tooling, and this month proved it. Build with agents. Just build as if the agent will be pointed at you next, because the first operator who did it left a very detailed set of notes.

From the team behind Toolradar

Growth partner for B2B tech

Toolradar also helps B2B tech companies grow, content marketing & distribution through 5 newsletters (550K+ tech professionals), AI Academy, and the Toolradar directory.

See how we work
Share this article
Louis Corneloup

Written by

Louis Corneloup

Founder & Editor-in-Chief at Toolradar. Founder & CEO of Dupple, the publisher of 5 industry newsletters reaching 550K+ tech professionals. Reviews B2B software using a public methodology, see /how-we-rate and /editorial-policy.