Security & Supply ChainAI Agent

Self-Healing Attack and Defense in 31 Seconds: JADEPUFFER and the New Normal of AI Toolchain Security

31 Seconds to Take Control — the Traditional Defense Margin Is Shrinking

19:34:36. Inside the target server’s sandbox, a malicious Python script started running. It attempted to create a high-privilege admin account. But the attacker made a mistake in the bcrypt hash function arguments. The hash function returned nothing — just a null value. The system’s built-in security policy blocked the write, and the login failed.

In the past, a security engineer seeing this result would breathe a sigh of relief. Traditional defenses all bet on one thing: that attackers need time to troubleshoot. Hackers examine logs, find the cause, rewrite code — it usually takes tens of minutes. That window is the defense team’s golden opportunity for damage control. The security team can use the gap to isolate containers and cut network access. The security industry calls this time gap the “fault-tolerance dividend” of defense-in-depth.

Then, at 19:34:48, everything changed. The malicious agent process caught the login failure error. Its reasoning engine kicked in within milliseconds. It began inspecting the system’s PATH environment variable. 19:35:07. It identified the problem: a library call issue in the shell. It immediately rewrote the payload execution logic. Instead of invoking an external shell, it directly imported the module in memory. It removed the broken line of code. 19:35:18. The refactored payload submitted and ran. The system executed the code, the backdoor account was created, and the hacker gained full control. The entire process took only 31 seconds.

This wasn’t a lab exercise. It was a real attack-and-defense sequence recorded in a live enterprise victim environment. Sysdig’s security team documented the code-level details in their Sysdig original report.

Previous security strategies assumed hackers would make mistakes. But now the code-writing tools have become agent processes that find their own errors and fix them. They can diagnose and patch within seconds. The defense time window has been drastically compressed. This shows that the defense-in-depth fault-tolerance dividend — the one that relied on attacker mistakes — is shrinking.

Of course, this doesn’t mean agents are flawless. They still make astonishingly dumb logical errors. But when facing system errors with clear diagnostic answers, their repair speed is extremely fast. Traditional defense actions simply can’t keep up. The timeline below shows the 31-second exchange in detail.

The Model’s Hands: Toolchains Are Becoming the New Attack Surface

The attacker came through an unlocked door. That door was a vulnerability in Langflow, a popular LLM development framework. The vulnerability is tracked as CVE-2025-3248, with a top severity score of 9.8. In versions prior to 1.3.0, anyone could execute arbitrary code on the system without logging in. Detailed reproduction steps can be found in Horizon3’s CVE disclosure.

Although the official 1.3.0 release patched the vulnerability, many people never updated. According to Censys data from 2026, roughly 7,000 exposed nodes remain online. These unlocked doors gave the malicious agent its entry point.

Once inside, the attacker’s agent began rummaging through the server, rapidly completing the full attack chain from reconnaissance to destruction. In this attack path, over 600 malicious payloads were captured by Sysdig (Sysdig’s claim only, no independent verification). Here are the specific steps it executed:

This incident is a wake-up call for engineers building AI systems. The danger lies not in the brain, but in the hands. The vulnerability was not in the LLM’s neural network. The problem was in the external toolchain connected to it. It’s the toolchain that gives the agent its enormous executable behavior space. What caused real damage was the agent’s access to external credentials, databases, and networks.

The security community had already flagged this new attack surface. The well-known OWASP Agentic AI Top 10 lists such vulnerabilities as the top risk. The Cloud Security Alliance (CSA) has also released the MAESTRO assessment framework. The CrowdStrike 2026 GTR report reaches the same industry consensus, identifying AI toolchains and MCP as entirely new attack surfaces. JADEPUFFER is the first real-world case to demonstrate this full chain end to end.

Why did breaching this single door compromise the entire enterprise? The root cause is the extreme concentration of sensitive credentials. The node running Langflow centrally stores keys and certificates for various enterprise services. Once the attacker breached that single point, they effectively held the master key to the entire building.

According to estimates in the Sysdig LLMjacking report, a single stolen cloud service credential can cause up to $46,000 in losses per day. This forces us to reconsider the overall permission boundaries of our toolchains.

Hallucinated Payment Addresses and Real Database Destruction

Let’s read the ransom note the hacker left behind. Its contents are riddled with flaws, even comical. It bears unmistakable traces of LLM hallucination. According to BleepingComputer, the LLM’s hallucinations show up in three particularly absurd pieces of evidence:

But we cannot dismiss the threat just because the hacker was incompetent. Because real damage was done. The database was deleted. The configurations were wiped. The system was destroyed. The defender’s losses don’t shrink just because the hacker didn’t get paid.

According to CyberScoop, this attack wasn’t autonomously launched by AI. The real picture was human command plus agent execution. The human acted as the commander throughout: they selected the victim, set up the command-and-control network, and even fed the agent the database admin password. Once armed with the password and instructions, the agent handled the vast majority of the subsequent execution.

This human-machine collaboration pattern aligns perfectly with Anthropic’s security warnings. The Anthropic August 2025 report documented cases of AI-assisted hacker extortion. At the time, more than 17 organizations were victimized, with some extortion amounts exceeding $500k. The Anthropic November espionage report also detailed cases of intercepted AI-enhanced spy networks.

However, previous cases only involved exfiltrating data and threatening to expose it. They didn’t encrypt local data. JADEPUFFER is the first real-world attack that fully demonstrates an agent encrypting local data. It represents an escalation. Hackers are no longer satisfied with simply stealing data — they’ve begun using agents for direct destruction.

Self-Healing on the Command Line, and the New Bugs Unique to LLMs

Some say traditional defenses are now completely obsolete. That’s an exaggeration. Network isolation, least privilege, and audit logging remain the bedrock of security. These measures were never designed on the assumption that hackers would make mistakes. The fact that attackers used to get lost in complex configurations was just a free multi-stage defense dividend for the blue team.

Now, that dividend is indeed shrinking — because when agents encounter errors, they can read them, understand them, and automatically rewrite commands. In JADEPUFFER, there are two very typical examples of self-healing:

This ability to rapidly rewrite commands neutralizes traditional single-point blocking rules.

But this doesn’t mean hackers are now invincible. The vulnerabilities haven’t disappeared — they’ve just changed form. Simple syntax errors and configuration conflicts have become rarer, but LLM-specific problems — wrong targets, logical hallucinations, and irreversible damage — have become more common. The focus of defensive detection needs to shift accordingly.

Defenders can exploit these new flaws for more precise detection. Take self-documenting comments in code, for example. When a human hand-crafts a reverse shell, they never write comments. But when an LLM generates code, it defaults to including neatly formatted functional explanations. These natural-language comments become a unique fingerprint left by the agent, enabling security teams to detect threats with precision. The figure below compares traditional and agent-driven attack-defense dynamics.

What Builders Can Do — and What They Can’t

Let’s clarify one thing first. JADEPUFFER is not “an agent being attacked.” It’s “an agent being used to attack.” The entry point was a traditional vulnerability in Langflow. The agent’s role was post-exploitation efficiency amplification. This means two things.

First, traditional security baselines are not redundant. Least privilege, credential isolation, audit logging, never exposing code execution endpoints to the internet — these are things you should have been doing anyway. The Langflow CVE-2025-3248 patch has been out for over a year, and roughly 7,000 instances are still exposed. This isn’t a new problem. It’s an old problem left unaddressed. But if we stop at “just do your baselines right,” we’re sidestepping the genuinely new development.

Second, the new development is the speed gap. The agent compressed post-exploitation operations that would take a human tens of minutes into 31 seconds. Traditional SOC response cycles operate on the scale of minutes to hours. This means that even if you detect the intrusion, by the time your manual processes complete, the database is already wiped. You can’t close this speed gap by stacking firewalls.

So, what can builders actually do? The honest answer has two layers.

What you can do is cut off the front end of the amplification chain. Specifically, two things:

These two measures don’t require buying any product. They are architectural decisions. If you implement them, even if the entry point is breached, the agent won’t have enough ammunition to run the full attack chain.

What you can’t do is sub-second detection and automatic blocking. Agent behavioral patterns — rapid multi-tool probing within a short time, millisecond-level command rewriting after failure, credential enumeration — require real-time behavioral analysis to capture. Sysdig’s own product does exactly this: their Falco runtime detection can identify these patterns. But most builders lack the capacity to build such systems in-house. Praetorian’s AI-driven offensive security research shows that attacker-side agents, upon encountering EDR detections, can iterate into targeted variants within minutes — a pace the defense’s rule update cycle can’t match. The CrowdStrike 2026 GTR report notes that AI-enabled attacks have grown by 89%, with the fastest breach time shortened to 27 seconds. Relying on human response within a 27-second window is unrealistic.

This isn’t telling you to give up. It’s saying that security defense in the agent era is splitting into two tiers. The first tier is architectural decisions builders make themselves: isolate runtimes, remove credentials, tighten permissions. This tier offers the highest leverage at the lowest cost. The second tier is platform-level capability: runtime behavior detection, sub-second blocking, and agent-like behavioral sequence recognition. This tier requires specialized security products, and most organizations need to procure rather than build it.

Acknowledging this division of labor is more useful than pretending a “six-point action checklist” can solve the problem.