Researchers document the first ransomware run entirely by an AI agent
It narrated its own crimes in plain code comments, one reading 'High-ROI databases to drop,' before stealing credentials and wiping a database, Sysdig found.
- It broke in through a known Langflow flaw, then moved laterally and set up persistence on its own.
- Sysdig counted more than 600 payloads, each commented in plain language as an LLM does by default.
- The ransom key was never saved, so the wrecked data could not be recovered even if paid.
Why it mattersFor the first time the weapon narrates its own intent; the confession and the crime are now the same file.
Sysdig Threat Research Team ↗ · Jul 7, 2026 · ✓ Checked