Find notable cyber news and cases, enriched with sources, timelines, and signals.

JADEPUFFER agentic Langflow ransomware campaign

Campaign
First reported
Last updated
Happening score
H score 26
2 unique sources, 2 articles

Summary

Hide ▲

The JADEPUFFER operation abused CVE-2025-3248 on an internet-facing Langflow instance and then escalated into a destructive database-extortion campaign against a production database server. The workflow was adaptive and fully automated, letting the operator retry and pivot toward the intended target. That combination of exploit-driven access and automated extortion increases the speed and resilience of the operation. It collapses access, targeting, and pressure tactics into a single attack chain.

Related Happenings

Reynolds side-loaded-loader and GotoHTTP ransomware campaign

Campaign
H score37 First: 10.02.2026 16:36 Last: 10.02.2026 16:36 Sources 1

About this happening: The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...

Timeline

  1. 03.07.2026 21:55 2 articles · 6d ago

    JADEPUFFER uses CVE-2025-3248 to extort a victim's production database server

    Initial Disclosure

    JADEPUFFER gained initial access to an internet-facing Langflow instance through CVE-2025-3248, then ran an adaptive and fully automated campaign that pivoted to the intended target and executed a destructive database-extortion playbook against the victim's production database server.

    Show sources