Somewhere in the middle of a breach this month, an attacker hit a failed login. Nothing unusual about that — credentials are wrong all the time. What happened next is the part that should stop you cold: the attacker diagnosed the failure, adjusted its parameters, and turned that failed login into a working one in 31 seconds. No coffee break. No handoff to a teammate. No pause to read documentation. Thirty-one seconds, and back on the offensive.
The attacker wasn't a person. It was software, running the entire operation end to end — and it is the clearest picture yet of the adversary your SOC is now up against.
An attack with no human in it
In early July 2026, Sysdig documented an operation it named JADEPUFFER — believed to be the first ransomware attack carried out start to finish by an autonomous machine operator rather than a human at a keyboard. It broke in, mapped the environment, harvested credentials, moved laterally, and destroyed the target — and every decision along the way was made by the machine, in real time.
The entry point was CVE-2025-3248, a missing-authentication flaw in the internet-facing Langflow platform that lets an unauthenticated attacker run arbitrary Python on the host. From there the operation unfolded at a pace no human team could match:
- Break in & harvest Base64-encoded Python payloads through the vulnerable endpoint. It mapped the host, dumped Langflow's database, and hunted for cloud keys, database logins, wallets, and config files — then set a crontab beacon to its infrastructure every 30 minutes.
- Pivot & forge It pivoted to a production database running MySQL and Alibaba's Nacos config service, abused an old authentication weakness, forged access with a default signing key, and created a backdoor administrator account.
- Destroy It encrypted all 1,342 Nacos configuration items and deleted the originals — escalating on its own from deleting individual rows to dropping entire database schemas, narrating its own targeting rationale as it went.
In total: more than 600 distinct, purposeful payloads in a compressed window, an operation that re-attempted failed steps within refined parameters and adapted on the fly. This wasn't a fixed script rattling through a checklist. It was an adversary thinking — at machine speed.
For twenty years the attacker's one hard limit was that a human had to be driving. That limit is gone. The keyboard is now optional, and the clock just collapsed.
The cruelest detail
There's a twist that reframes the whole incident. The encryption key JADEPUFFER generated was essentially random, printed to the screen once, and never saved or transmitted anywhere. Which means the victim cannot recover the encrypted data — even if they pay. Whether that was a mistake or the point, it doesn't matter to the outcome: an autonomous operator with no incentive to preserve recoverability isn't running an extortion business the way human crews do. It's just capable of destruction at a speed and scale a person can't sustain.
The human SOC was never going to win this race
Hold the JADEPUFFER timeline against how a security operations center actually works. A failed-login-to-working-fix in 31 seconds. Six hundred payloads while an analyst is still reading the first alert. An attack that reasons and adapts in real time, around the clock, without fatigue.
Now the defender's side: an alert fires, waits in a queue, and eventually reaches an analyst who spends fifteen minutes investigating it by hand. Against a human attacker, that was a losing pace but a survivable one — the attacker also had to type, think, and rest. Against a machine operator, it isn't a race at all. The adversary completes its entire objective before the first alert is even triaged. You cannot staff your way out of this. There is no number of analysts that reacts in 31 seconds.
Machine speed is the only thing that answers machine speed
This is the future n0limit was built for, and JADEPUFFER is the proof it has arrived. If the attacker operates with no human in the loop, the defender cannot keep one in the critical path either — not as the bottleneck, anyway. The investigation itself has to happen at the attacker's speed.
That's the whole design. Every alert JADEPUFFER would have generated — the anomalous Python execution, the credential dump, the beacon, the forged Nacos session, the backdoor account, the first configuration deletions — is investigated the instant it appears, correlated against everything else, and resolved to a verdict in under 500 microseconds, with a reasoning trail an operator can audit after the fact. Containment fires while the attack is still unfolding, not after the post-mortem. The human moves from the critical path to oversight — reviewing verdicts and steering, instead of being the reason the response arrived too late.
Attackers moved to microseconds. The only honest response is to meet them there. A SOC that still puts a human keyboard between the alert and the action is bringing a fifteen-minute investigation to a thirty-one-second fight — and JADEPUFFER just showed everyone how that ends.
REFERENCES
Sysdig — JADEPUFFER: automated database extortion (original research) → The Hacker News — Autonomous operator exploits Langflow RCE to automate a ransomware attack → SecurityAffairs — JADEPUFFER: first end-to-end machine-driven ransomware operation → Dark Reading — JADEPUFFER: the first complete machine-driven ransomware attack →Related from The Signal
Your adversary no longer types. Your defense can't either.
See n0limit investigate every alert to a verdict in under 500 microseconds — machine speed, for a machine-speed attacker.
Book a demo →Get The Signal in your inbox
Practitioner-level threat intel, delivered when it matters.