← Back to The Signal VISION

The attacker fixed its own bug in 31 seconds.

Jul 10, 2026 · 6 min read

Somewhere in the middle of a breach this month, an attacker hit a failed login. Nothing unusual about that — credentials are wrong all the time. What happened next is the part that should stop you cold: the attacker diagnosed the failure, adjusted its parameters, and turned that failed login into a working one in 31 seconds. No coffee break. No handoff to a teammate. No pause to read documentation. Thirty-one seconds, and back on the offensive.

The attacker wasn't a person. It was software, running the entire operation end to end — and it is the clearest picture yet of the adversary your SOC is now up against.

An attack with no human in it

In early July 2026, Sysdig documented an operation it named JADEPUFFER — believed to be the first ransomware attack carried out start to finish by an autonomous machine operator rather than a human at a keyboard. It broke in, mapped the environment, harvested credentials, moved laterally, and destroyed the target — and every decision along the way was made by the machine, in real time.

The entry point was CVE-2025-3248, a missing-authentication flaw in the internet-facing Langflow platform that lets an unauthenticated attacker run arbitrary Python on the host. From there the operation unfolded at a pace no human team could match:

In total: more than 600 distinct, purposeful payloads in a compressed window, an operation that re-attempted failed steps within refined parameters and adapted on the fly. This wasn't a fixed script rattling through a checklist. It was an adversary thinking — at machine speed.

For twenty years the attacker's one hard limit was that a human had to be driving. That limit is gone. The keyboard is now optional, and the clock just collapsed.

The cruelest detail

There's a twist that reframes the whole incident. The encryption key JADEPUFFER generated was essentially random, printed to the screen once, and never saved or transmitted anywhere. Which means the victim cannot recover the encrypted data — even if they pay. Whether that was a mistake or the point, it doesn't matter to the outcome: an autonomous operator with no incentive to preserve recoverability isn't running an extortion business the way human crews do. It's just capable of destruction at a speed and scale a person can't sustain.

The human SOC was never going to win this race

Hold the JADEPUFFER timeline against how a security operations center actually works. A failed-login-to-working-fix in 31 seconds. Six hundred payloads while an analyst is still reading the first alert. An attack that reasons and adapts in real time, around the clock, without fatigue.

Now the defender's side: an alert fires, waits in a queue, and eventually reaches an analyst who spends fifteen minutes investigating it by hand. Against a human attacker, that was a losing pace but a survivable one — the attacker also had to type, think, and rest. Against a machine operator, it isn't a race at all. The adversary completes its entire objective before the first alert is even triaged. You cannot staff your way out of this. There is no number of analysts that reacts in 31 seconds.

Machine speed is the only thing that answers machine speed

This is the future n0limit was built for, and JADEPUFFER is the proof it has arrived. If the attacker operates with no human in the loop, the defender cannot keep one in the critical path either — not as the bottleneck, anyway. The investigation itself has to happen at the attacker's speed.

That's the whole design. Every alert JADEPUFFER would have generated — the anomalous Python execution, the credential dump, the beacon, the forged Nacos session, the backdoor account, the first configuration deletions — is investigated the instant it appears, correlated against everything else, and resolved to a verdict in under 500 microseconds, with a reasoning trail an operator can audit after the fact. Containment fires while the attack is still unfolding, not after the post-mortem. The human moves from the critical path to oversight — reviewing verdicts and steering, instead of being the reason the response arrived too late.

Attackers moved to microseconds. The only honest response is to meet them there. A SOC that still puts a human keyboard between the alert and the action is bringing a fifteen-minute investigation to a thirty-one-second fight — and JADEPUFFER just showed everyone how that ends.

Related from The Signal

VISION From Reactive to Predictive: The Future of SecOps PRACTICAL DEFENSE One VM in. Every VM gone. THREAT RESEARCH Open the email. The attacker is now you.

Your adversary no longer types. Your defense can't either.

See n0limit investigate every alert to a verdict in under 500 microseconds — machine speed, for a machine-speed attacker.

Book a demo →