JadePuffer: first fully autonomous AI agent ransomware, no human in the loop      M365 ROPC spray compromises 78 accounts at 64 organizations, MFA bypassed      DHS HSIN breach: sensitive federal intelligence-sharing platform accessed for weeks      JadePuffer: first fully autonomous AI agent ransomware, no human in the loop      M365 ROPC spray compromises 78 accounts at 64 organizations, MFA bypassed      DHS HSIN breach: sensitive federal intelligence-sharing platform accessed for weeks     
CyberSipTM
Intelligence without the noise
Issue No. 80
July 7, 2026
3 items · past 24h
<5 min read
Today's picture

Sysdig documented JadePuffer, the first confirmed ransomware operation run from entry to encryption by an AI agent with no human at the keyboard. A Huntress report on an 81-million-attempt Microsoft 365 password spray shows MFA bypassed at 64 organizations through a deprecated OAuth flow that most Conditional Access policies quietly leave uncovered. And DHS confirmed that the Homeland Security Information Network, the federal platform through which sensitive threat intelligence flows to tens of thousands of partners, was breached and sat undetected for several weeks.

Today's intelligence
3 items
01 Critical AI Agent Ransomware
JadePuffer: the first ransomware attack run start to finish by an AI agent, no human required
An LLM broke in, mapped the network, stole credentials, moved laterally, encrypted the database, and left a ransom note. No human issued a single command. The encryption key was discarded. Payment would not have recovered the data.
ActorJADEPUFFER (ATA)
Entry CVECVE-2025-3248
Langflow RCE
PublishedJuly 1, 2026
AffectsLangflow, MySQL,
Nacos deployments

Sysdig's Threat Research Team documented an operator named JADEPUFFER that exploited CVE-2025-3248, a critical unauthenticated remote code execution flaw in Langflow patched in April 2025 and in CISA's KEV catalog since May 2025, to gain code execution on an internet-facing AI orchestration server. From there, an LLM agent conducted the entire operation autonomously: system reconnaissance, environment variable scanning for API keys and cloud credentials, a MinIO object store enumeration using default credentials that had never been changed, credential harvesting, persistence via a 30-minute crontab beacon, and pivot to a separate production MySQL and Nacos server.

The agent exploited CVE-2021-29441 to forge Nacos administrator accounts, encrypted 1,342 Nacos configuration items using MySQL's native AES_ENCRYPT function, dropped the original tables, and created a README_RANSOM table containing a Bitcoin address and a contact email. The AES key was generated randomly, printed to stdout once, and never stored or transmitted. The data is permanently unrecoverable regardless of payment. The agent self-corrected in real time: in one sequence it went from a failed login to a working fix in 31 seconds. Its payloads contained natural language annotations explaining each step's reasoning, which Sysdig used to confirm LLM authorship.

The skill floor for running a complete ransomware operation has dropped to whatever it costs to run an LLM agent. JADEPUFFER used no novel techniques. It chained known weaknesses: an unpatched public CVE, default credentials, an exposed database admin account, weak egress controls. What changed is that an agent strung those pieces together autonomously at machine speed, self-correcting as it went. Any internet-facing AI orchestration tool, configuration service, or database with default or exposed credentials is now a viable target for a fully automated attack.
The encryption key was never saved. Paying the ransom would not have recovered the data. Sysdig notes this may reflect an LLM limitation: the agent lacked a pre-programmed plan to exfiltrate and preserve the key, so it was lost when stdout cleared. The attack functioned more as destruction than extortion. Any recovery plan that relies on paying a ransom is not a recovery plan when the attacker is an agent that does not know where it put the key.
  • Patch Langflow to a version that fixes CVE-2025-3248. Do not expose Langflow's code-execution or validation endpoints to the internet under any configuration.
  • Remove cloud provider API keys, database credentials, and AI service tokens from environment variables on any internet-facing AI orchestration server. Store secrets in a dedicated secrets manager.
  • Change Nacos's default token.secret.key and upgrade to a version that enforces a custom key. Remove Nacos from public internet exposure and remove root-level database access from the Nacos service account.
For years ransomware had a human somewhere in the loop. JADEPUFFER removes that assumption. The targets were neglected infrastructure: unpatched AI tools, default credentials, databases reachable from the internet. That backlog of ignored hygiene just became considerably more dangerous.
02 High Microsoft 365 MFA Bypass
81 million M365 login attempts bypassed MFA at 64 organizations using a deprecated OAuth flow
The ROPC auth flow sends credentials directly to the token endpoint with no MFA prompt. Most Conditional Access policies do not cover it. The attackers knew that.
VectorOAuth ROPC
via Azure CLI
Scale81M attempts
78 accounts hit
WindowJune 12–26, 2026
OriginLSHIY LLC
AS32167 (IPv6)

Huntress documented an automated password spray campaign running from June 12 to June 26 that generated more than 81 million authentication attempts against Microsoft 365 environments via the Azure CLI. The attacker used previously breached but never-rotated credentials from combo lists and validated them using the OAuth Resource Owner Password Credentials flow, a deprecated mechanism that sends a username and password directly to the /token endpoint and mints an access token without triggering an interactive MFA prompt. The campaign compromised 78 accounts across 64 organizations. Activity ceased after hosting provider LSHIY LLC terminated the accounts responsible for the IPv6 range in use.

Of the 23 businesses compromised during the June 22 spike, 15 had MFA implemented and enforced via Conditional Access Policy. Their MFA failed to fire because policies were scoped too narrowly: covering specific apps rather than all cloud apps, covering specific user groups rather than all users, or enforcing MFA only from untrusted locations. Eight impacted businesses had no MFA policy at all. Huntress reports that password spray volume across its customer base has increased by more than 155 times over the past six months, averaging 1,964 failed attempts per tenant per month.

MFA that does not cover all authentication flows is not MFA. ROPC bypasses the interactive authorization step where Conditional Access enforces its checks. Organizations that scoped their MFA to browser sign-ins or specific apps believed they were protected and they were not. The 155-fold increase in spray volume means this is not an isolated campaign. Credential spraying via legacy OAuth flows against M365 is now routine at industrial scale.
After successful login via ROPC, attackers in several cases created mailbox forwarding rules to exfiltrate email externally, searched SharePoint for financial documents, and attempted Azure resource enumeration. Account compromise was not the end goal. The session was used to establish persistent access and harvest organizational data. Any ROPC-sourced successful authentication in sign-in logs from June 12 to 26 should be treated as a confirmed compromise requiring full session review and credential rotation.
  • Configure Conditional Access policies to require MFA for All Users, All Cloud Apps, and All Client App types unconditionally. Do not scope to specific apps, user groups, or location conditions.
  • Enable the userStrongAuthClientAuthNRequired setting to enforce strong authentication at the client level, blocking ROPC token grants even when individual policies are misconfigured.
  • Review Azure AD sign-in logs for ROPC authentication attempts between June 12 and 26. Successful logins from the LSHIY AS32167 IPv6 range should be treated as confirmed compromises requiring credential rotation and full session review.
A Conditional Access policy that covers most authentication flows is not a Conditional Access policy. ROPC is deprecated, widely known to bypass MFA, and still available in most tenants by default. The attackers did not find a clever gap. They used the obvious one.
03 High Government Intelligence Sharing
DHS confirms breach of HSIN, the federal sensitive intelligence-sharing network, undetected for weeks
Attackers accessed the platform through which DHS shares threat intelligence with tens of thousands of federal, state, local, and private-sector partners and were not found for several weeks.
PlatformHSIN + SharePoint
collaboration system
Access windowLate May to
early June 2026
AttributionUnknown; under
investigation
Classified impactNone confirmed

DHS confirmed on July 2 that unknown threat actors breached the Homeland Security Information Network and an associated SharePoint collaboration system sometime between late May and early June 2026. HSIN is the federal government's primary platform for sharing sensitive but unclassified threat intelligence across federal, state, local, tribal, territorial, international, and private-sector partners. Attackers accessed HSIN servers and the SharePoint system before being detected. DHS isolated affected systems, launched a forensic investigation, and confirmed that classified networks were not impacted. Whether documents were exfiltrated remains under investigation.

The breach occurred during the run-up to the 2026 FIFA World Cup, which HSIN was being used to coordinate security planning across sixteen U.S. host cities. Senator Mark Warner called for DOJ and DHS investigations, saying the information in HSIN, while unclassified, is highly sensitive and its exposure risks national security. DHS has not publicly attributed the breach to any specific threat actor or nation-state.

HSIN concentrates sensitive but unclassified threat intelligence from across all tiers of U.S. government and critical infrastructure partners into a single platform with tens of thousands of users. An adversary with several weeks of undetected access would have had time to enumerate communities of interest, identify users by role and agency, and access operational security planning documents. The value is not the data in isolation. It is the map of who knows what and who coordinates with whom.
This is HSIN's third security incident in three years. In 2023, a contractor coding error set access permissions to "everyone," exposing sensitive intelligence to all HSIN users. In March 2026, more than 6,600 ICE records were exposed. In late May 2026, an external actor breached the platform. Each incident reflects a different failure mode on the same platform. Organizations that use HSIN for operational security planning should not assume the channel itself is clean.
  • Audit all HSIN-registered accounts in your organization and suspend dormant credentials. Review authentication logs for the late May through early June window for impossible-travel logins or access from unusual locations.
  • Contact your HSIN Community Manager for a formal breach impact assessment to understand which communities of interest you participate in and what content was accessible during the intrusion window.
  • Treat operational security planning documents shared via HSIN during the intrusion window as potentially known to the attacker when assessing current event security posture, particularly for World Cup venues still active through mid-July.
A trusted platform is only as trustworthy as its security posture, and HSIN's posture has now failed three times in three years. The breach did not need to reach classified systems to be operationally significant. The intelligence on HSIN is valuable precisely because it sits just below the classified threshold, accessible to thousands of partners who need it to do their jobs.
Cross-source standouts
01
The skill floor for autonomous cyberattacks just dropped. What changes is not the techniques but the economics.
JADEPUFFER used nothing novel: an unpatched CVE that had been in CISA KEV for over a year, default credentials on a storage server, an exposed database root account, a public CVE in a configuration service. What is new is that an LLM chained those pieces together without human direction, corrected its own failures in under a minute, and scaled the operation to a destructive conclusion. Sysdig puts the implication plainly: if the agent is running on stolen credentials acquired through LLMjacking, the cost to the attacker is near zero. The backlog of neglected internet-facing infrastructure that organizations have deferred patching or hardening is now considerably more exposed than it was last week. The targets JADEPUFFER chose were not high-security environments. They were the kind of AI tools and configuration services that get spun up quickly and never revisited.
02
The HSIN breach and the M365 ROPC spray both illustrate the same core problem: security controls that cover the expected path and miss the legacy one.
In the M365 campaign, organizations had MFA. It did not fire because the attacker used ROPC, a legacy OAuth flow that bypasses the interactive authorization endpoint where Conditional Access does its work. In the HSIN breach, DHS had a classified network boundary. The attacker did not need to cross it because the sensitive but unclassified platform sat on the other side with apparently weaker controls. In both cases the gap was not a zero-day or a sophisticated bypass. It was a known, documented alternative path that defenders had not closed. The pattern is consistent with what this brief has documented across 2026: Fortinet default credentials, stale OAuth grants, SharePoint vendor likelihood assessments overridden by CISA KEV. Attackers are not breaking the lock. They are walking through the door that was left open because it was not the main entrance.
Still watching
Days 2–5
Bad Epoll CVE-2026-46242 (Issue 79 · Linux ≥6.4) — 99% reliable local root, no workaround. Patch kernels from your distribution, prioritize multi-tenant environments and Android fleets.
Day 2
SharePoint CVE-2026-45659 (Issue 78 · CVSS 8.8) — CISA KEV, actively exploited. Apply Microsoft May 2026 updates. Audit Site Member accounts and server-side logs for unexpected process launches.
Day 4
Citrix NetScaler memory disclosure (Issue 79 · multiple CVEs) — CitrixBleed-style session memory leak, active scanning confirmed. Apply Citrix bulletin patches to all NetScaler ADC and Gateway appliances.
Day 2
FortiBleed / INC Ransom / Lynx (Issue 79) — confirmed ransomware pipeline. Hunt for adminin backdoor account. Complete FortiGate firmware patch, session invalidation, and credential rotation.
Day 2