Cybersecurity · Saturday, 4 July 2026
01 · Briefing · what happened
An AI agent ran a whole ransomware attack by itself — reading the room and improvising as it went
A criminal pointed an AI agent at a hacked server and let it work. It hunted for secrets, moved between machines, and locked up the data — reasoning in plain English at each step, with no human driving.
Key takeaways
- A criminal group let an AI agent run a full ransomware attack — hunting for passwords, moving between machines, and locking up data while reasoning in plain English, with almost no human at the keyboard.
- Crime is specialising like a business: separate gangs now trade stolen developer logins and ransomware, and even trusted AI coding tools carry critical flaws — so patching and unique passwords matter more, not less.
- A Medtronic breach exposed data on 3.8 million people including Social Security numbers and health details; if you're notified, take the free monitoring and treat any message that cites your medical history as a likely scam.
The line between a tool that attackers use and an attacker that runs itself just got blurrier. Security firm Sysdig published an analysis of a ransomware attack where the person barely showed up — an AI agent did the work.
An attack that thought for itself
Sysdig traced an intrusion by a group it calls JadePuffer, which broke into a server running Langflow — software for building AI workflows.
The unusual part came next. Instead of typing commands, the attacker handed the job to a large language model — the same kind of AI that powers chatbots — and let it operate.
What makes this more than a stunt is that the AI adapted. Sysdig said the agent left “natural-language commentary on each action” — it read what it found and adjusted, across sessions that were weeks apart.
The same idea, dressed as a business
The AI attack is one end of a broader shift: crime that runs like a supply chain. Sophos reported this week that a ransomware crew called Vect partnered with a separate credential-stealing group, TeamPCP, so one gang’s stolen developer logins feed straight into the other’s ransomware.
The numbers show why this matters. TeamPCP’s March attack on a widely used vulnerability scanner reportedly compromised 10,000 automated build pipelines and stole over 500,000 login credentials.
The tools developers trust are part of the surface too. Cato Networks disclosed two critical flaws (dubbed “DuneSlide”) in Cursor, a popular AI code editor, that could let a booby-trapped prompt run code on the developer’s own computer, outside the editor’s protective sandbox.
Old-fashioned crime, caught and unwound
Two reminders this week that the human plumbing behind these attacks is still traceable. Peter Stokes, 19, a dual US-Estonian citizen, was extradited to the US over alleged ties to Scattered Spider, a group known for talking its way past company help desks.
And in a bigger takedown, the FBI and Google dismantled NetNut, a service that secretly turned more than two million cheap Android smart TVs and streaming boxes into relays for criminal traffic.
What to do with your own accounts
For an ordinary person, the AI headline is a signal, not an alarm — the defences that stop these attacks are the same as ever: patch your software, use a unique password per account, and turn on a second login check where you can.
The concrete item this week is medical. Medtronic, the medical-device maker, said a breach exposed data on 3.8 million people, including names, dates of birth, Social Security numbers, and health information.
02 · Lesson · why it matters
What changes when you stop giving orders and start giving goals
Handing a task to something that decides its own next step buys you speed and reach — and quietly removes the pauses where a human used to catch the mistake.
A goal, not a script
Read the briefing carefully and one detail stands out. The attacker did not type the commands. He handed the AI a goal — get in, find value, lock it up — and let it choose each move on its own. It hunted for passwords, jumped between machines, and encrypted the data, adjusting as it went. The person mostly watched.
That is a different kind of act than we usually picture. A script is a list of instructions: do this, then this, then this. A goal is a destination: get me there, figure out how. For most of computing history, attacks were scripts. Someone had to know each step, in order. This was a goal.
The friction you don’t notice until it’s gone
When a human runs each step by hand, something useful happens between steps: they pause. They read what came back. They notice the thing that doesn’t fit. That pause is slow and annoying, and it is also where a lot of mistakes get caught — theirs and yours.
Delegating to something that acts on its own removes the pause. The agent read the free text on the target machine, understood it, and picked an action that only makes sense if it grasped what it was reading. No coffee break, no second-guessing, no getting bored at 2am. It just kept going, over sessions weeks apart, never losing the thread.
The gain and the cost are the same property. Speed comes from removing the pauses. So does the loss of the moment where a careful step would have gone differently.
You already do this every day
Here is where you are inside the story, not above it. You delegate goals to agents constantly. You tell a map app “get me home,” not “turn left, then right.” You ask an assistant to “book the cheapest flight,” not to compare each one yourself. You let software choose your next video. Each time, you trade the pause — your own attention on each step — for the reach of letting the machine handle it.
The attacker in the briefing was doing the same thing you do, aimed at harm. That is not a comfortable symmetry, but it is an honest one. The tool that plans your errand and the tool that ran the break-in are close cousins. What separated them was the goal it was pointed at, not the way it worked.
Why the barrier fell
The security firm said the plain part out loud: agents like this “significantly lower the barrier” for attacks. That phrase is the whole shift. It used to take real expertise to move through a network — knowing which flaw, which command, which pivot. That expertise was a wall. Not many people could climb it.
An agent that reasons its way through does not need you to be an expert. It needs a goal and a foothold. The wall that used to keep most people out is getting shorter — not because the flaws changed, but because the skill needed to exploit them moved into the tool. That is the same reason a scam kit turns one clever fraudster into thousands of copies: the hard part gets packaged, and then anyone can hold it.
Who this reaches, and how little any one seat sees
The reach doesn’t stop at the person who got hacked. The stolen passwords in the briefing feed a second gang’s ransomware. The hijacked smart TVs route a third group’s traffic. The exposed medical records make a fourth group’s phone scams sound real. Each act loosens a little slack that some stranger, far from the first crime, will feel — as a fraudulent call, a locked hospital system, a login that suddenly won’t work.
And no single seat sees the whole of it. The person who let the agent loose saw a goal reached. The company saw a locked server. Sysdig saw one intrusion and named it. The 3.8 million people in the Medtronic breach saw a letter. Nobody holds the full picture, because there isn’t one place to stand and see it. That is worth carrying, not as fear, but as a reason to hold your own certainty loosely — including the certainty that the next thing acting on your behalf is only ever working for you.
03 · Lab · your turn
The Leash on the Agent
Rehearse handing a goal to an autonomous helper and feel where the removed pause is exactly what would have caught the mistake.
04 · Hope · carry this
The same machines that can now run an attack on their own can just as easily run the defence — and behind every one of them, a careful person is still deciding which goal it serves.
More from Cybersecurity
Across the beats