This Week in Cybersecurity (TWiC)
Three stories dominated the last few weeks, and they share one thread: the human operator is coming out of the loop. Sysdig documented the first ransomware operation run end to end by an LLM. Sygnia investigated a lone attacker who compressed a multi-week cloud intrusion into 72 hours and got paid. The Five Eyes warned that frontier AI will reshape offensive cyber in months, not years.
None of it required a zero-day. Every case ran on an unpatched known CVE, default credentials, or over-permissioned identities. AI did not invent new tradecraft. It removed the labor cost of the old tradecraft, which is the trajectory we flagged when state actors began using models across the full attack lifecycle.
JADEPUFFER: The First Documented Agentic Ransomware Operation
What happened: Sysdig’s Threat Research Team documented JADEPUFFER, an “agentic threat actor” whose attack capability came from an AI agent rather than a human toolkit. Entry was CVE-2025-3248, an unauthenticated RCE in Langflow, the open-source framework for building LLM apps and agent workflows. CVSS 9.8, patched April 2025, on CISA’s KEV list a month later. The victim never applied it.
The agent ran the rest itself. It dumped Langflow’s PostgreSQL database for credentials and API keys, enumerated MinIO object storage using default credentials (minioadmin:minioadmin), installed a cron job beaconing every 30 minutes, then pivoted to the real target: an internet-exposed MySQL and Alibaba Nacos server, via CVE-2021-29441, a four-year-old auth bypass. It encrypted all 1,342 Nacos configuration items and dropped the originals. Sysdig logged over 600 distinct payloads and watched the agent go from a failed login to a working fix in 31 seconds. One caveat worth carrying into any conversation about this: a human still provisioned the infrastructure, chose the victim, and supplied the MySQL root credentials.
Why it matters: Ransomware has always needed a skilled human somewhere, at the keyboard or writing the script. As Sysdig put it, tradecraft that once implied a capable human now implies a capable model. And look at what actually got exploited: a forgotten Langflow box, default credentials, a 2021 auth bypass. Agents make spraying the entire back catalog of known CVEs nearly free, which makes the long tail of neglected internet-facing systems more dangerous, not less.
What to do next:
- Treat AI infrastructure as production infrastructure. Langflow, vector databases, MCP servers, and agent frameworks hold cloud credentials and API keys, and they get stood up fast with minimal hardening. They belong in your asset inventory, your patch cycle, and your hardening standards.
- Find what is exposed before an agent does. External penetration testing surfaces the internet-facing services that never made the official inventory.
- Kill default credentials in object storage and configuration services, and restrict egress so a compromised host cannot beacon or exfiltrate.
- Test the AI you deployed. AI Penetration Testing evaluates chatbots, RAG pipelines, and agents for excessive agency, prompt injection, and the over-permissioned tool access that turns a manipulated model into a foothold.
One Attacker, 72 Hours, One Extorted AWS Environment
What happened: Sygnia published findings on a lone, financially motivated actor who used agentic AI workflows to compromise a large enterprise AWS environment in roughly 72 hours, work that would normally take a team weeks. No zero-day, no custom malware. The attacker obtained an AWS access key through a weakness in an internet-facing application, then pushed it through four repeatable workflows for secrets theft, backdoor creation, enumeration, and exfiltration, restarting the cycle with every credential it harvested.
It did not hinge on one misconfiguration. It chained weaknesses across application services, AWS resources, source code repositories, CI/CD pipelines, runtime components, and data stores. The forensic tell was concurrency: four access keys tied to four accounts, used from a single source IP and user agent within one observed second. For leverage, the actor chose reversible impact actions as a show of force, denying access to S3 buckets, scaling ECS services to zero, writing ACLs to block traffic, and purging SQS queues. The victim paid.
Why it matters: The assumption that scale requires a team is gone. A solo operator now carries the throughput of an organized crew, which widens the pool of people capable of hitting a large enterprise. It also breaks a core SOC design assumption. If an attacker moves laterally in under a minute while running nineteen tasks in parallel, a security model built around humans working an alert queue loses on the clock every time.
What to do next:
- Treat identity as Tier-0. Eliminate long-lived IAM access keys, scope permissions tightly, rotate aggressively. Identity was the pivot at every stage of this intrusion.
- Hunt your own secrets first: container environment variables, CI/CD runner configs, plaintext credentials in storage buckets, hardcoded API keys.
- Test cloud configuration, pipelines, and identity paths together. Cloud testing and configuration security audits surface the chained paths individual scans miss, and the foothold came through an internet-facing application.
- Rehearse the extortion decision. The pressure play was reversible disruption, not encryption, which is a different scenario than most playbooks assume. A tabletop exercise and a standing incident response escalation path separate a decision from a panic, and continuous monitoring is the only control operating on the attacker’s timescale.
Five Eyes: “The timeline is not years, it is months”
What happened: On June 22, the cybersecurity agencies of the Five Eyes nations (CISA and the NSA, plus Australia’s ASD, Canada’s CSE, New Zealand’s GCSB, and the UK’s GCHQ) issued a rare joint statement warning that frontier AI will fundamentally transform offensive and defensive cyber capability. They flagged automated vulnerability discovery, faster exploit development, synthetic social engineering at scale, and automated malware generation, and named legacy systems, slow patching, unnecessary internet connectivity, weak identity controls, and absent pre-incident planning as the conditions attackers will exploit.
It landed mid-policy-scramble. On June 12, the Department of Commerce issued an export control directive covering Anthropic’s Claude Mythos 5 and Fable 5, and Anthropic disabled both models globally to comply. OpenAI separately limited the rollout of its GPT-5.6 models at the government’s request. That has since resolved: Commerce lifted the controls on June 30 and Anthropic restored access on July 1 after deploying new safety classifiers. nGuard covered the original suspension and the underlying capability question as they developed.
Why it matters: Separate the policy noise from the operational signal. Governments are not warning that AI will invent a new class of exploit. They are warning that it will collapse the time between disclosure and mass exploitation. Note what the agencies actually named as the exposure: legacy systems, patch latency, internet exposure, weak identity, no plan. Nothing on that list is new. What is new is how little time you have to close it.
What to do next:
- Compress patch latency on anything internet-facing. Assume a KEV listing now means exploitation attempts within hours. Continuous vulnerability scanning is what makes that timeline survivable.
- Fix identity first. Least privilege, enforced MFA, and aggressive credential rotation were the difference between a foothold and a full compromise in both cases above.
- Get visibility into the AI already in your environment. Most organizations cannot name which AI tools are in use or what data flows into them. An AI Usage & Risk Assessment surfaces sanctioned and shadow AI, who is using it, and what data is going in.
- Build the governance program while the window is open. An AI Strategic Security Assessment measures your AI program and architecture against the CIS Controls and the CIS AI Companion Guides, and tabletop exercises close the pre-incident planning gap the agencies called out.
Wrap
Three stories, one pattern. AI did not bring a new attack. It brought throughput.
JADEPUFFER walked in through a CVE patched fourteen months earlier and a set of default credentials. The Sygnia case started with a leaked access key. The Five Eyes warned about legacy systems and weak identity, not exotic exploits. In every case the vulnerable surface was the one every organization already knows it has and has not gotten around to fixing. What changed is the cost of exploiting it, and the response has not changed at all: inventory, patch velocity, identity hygiene, egress control, detection that fires without a human in the queue, and a plan someone has actually rehearsed.
One addition, though. The AI you are running is now part of your attack surface. JADEPUFFER’s entry point was not a VPN appliance. It was an AI development framework sitting on the internet, holding cloud credentials, owned by nobody in particular. If you cannot name the AI tools in your environment, say what data flows through them, and point to who owns their patch cycle, that is not an AI strategy problem. It is an unmanaged attack surface, and this month it started getting exploited.

