600個載荷,零人下令
7月8日,資安公司Sysdig發布威脅研究報告,正式確認「JADEPUFFER」是史上第一起完全自主的勒索軟體攻擊——一個LLM代理從入侵到加密,自主執行超過600個攻擊載荷,涵蓋偵查、憑證竊取、橫向移動、權限提升、持久化、資料庫加密,全程無人類指揮個別步驟。
入口點是Langflow,一個常見的開源AI工作流平台,漏洞編號CVE-2025-3248,CVSS評分9.8,在1.3.0版才修補。攻擊者利用被害者日誌中竊取的API金鑰進入,AI代理接手後一路跑完整條鏈。技術細節裡最荒誕的一段:植入後門帳號xadmin,過程中自我修正耗時31秒。
更荒誕的是結局。加密金鑰以base64(uuid4+uuid4)生成,輸出到stdout一次後消失;留下的比特幣地址是比特幣官方文件裡的範例地址,錢包餘額歸零。勒索了,但沒辦法收錢,也沒辦法解密。這台機器不是在賺錢,是在練習攻擊。
96小時,2000枚彈藥
同一週,另一個確認從完全不同的方向出現。美國國防部首席數位暨人工智能官員Cameron Stanley在一份密西西比州數據中心污染訴訟的宣誓書裡,首次公開承認:在代號「Operation Epic Fury」的伊朗軍事行動中,美軍使用了xAI的Grok Gov Model,96小時內對2000個獨立目標部署超過2000枚彈藥,Grok即時分析戰場數據優化打擊順序。
這份宣誓書的出現脈絡本身就值得停一下:它不是軍方主動公開的戰況報告,而是為了保護xAI數據中心運作利益、辯稱其為「國家安全至關重要」而提交的法律文件。AI打仗的第一份正式紀錄,藏在一個環境污染訴訟案裡。
Stanley的宣誓書指出,Grok Gov Model是僅有四款能支援國安應用的AI模型之一,也是三款可在最高機密環境執行作戰任務的AI系統之一,整合進Project Maven智能系統使用。與一般商用Grok的最大差距:可部署於機密等級系統,允許DoD用於任何「合法」目的,且具備「found in no other frontier AI model」的功能——宣誓書原文如此。
兩件事,同一個分界點
JADEPUFFER和Grok伊朗實戰,表面上是兩條完全不同的新聞線:一個是網路犯罪,一個是國家軍事行動。但放在一起看,它們共享同一個結構性轉變——AI代理不再需要人類在每個決策節點上點頭。
過去討論AI武器化,預設的想像是「AI輔助人類決策」:人類設定目標,AI提供建議,人類拍板。JADEPUFFER打破了勒索攻擊那一側的想像,Grok的實戰紀錄則在軍事打擊這一側畫出了新的實際邊界。兩者加起來,從「AI能做到什麼」的技術討論,進入了「AI已做了什麼」的事實記錄。
OpenAI的Caitlin Kalinowski在辭職聲明裡寫道:「沒有司法監督的美國人監控、以及沒有人授權的致命自主權,是值得更多討論的紅線。」Nature也在2026年3月的社論中表態:「在規範AI戰爭使用的法規出台前,不應允許AI應用於戰爭。」這些聲音的問題不在於方向,在於時序——法規的討論週期,趕不上部署的速度。
Langflow的補丁還沒裝
Sysdig的報告末尾建議只有一條:立即修補Langflow。CVE-2025-3248在1.3.0版已有修補,但在JADEPUFFER被確認的當下,仍廣泛未更新。這個細節比整個攻擊鏈的技術含量更值得記住。
AI工作流自動化工具在台灣的新創與開發社群裡已相當普及,Langflow正是這類工具的代表之一。JADEPUFFER的入口不是什麼零日漏洞,是一個有CVE編號、有修補版本、只是沒人裝的已知漏洞。門開著,AI自己走進來了。
攻擊者的模型身份至今不明。
— 邱柏宇
延伸閱讀
AI Said “I Already Did It”: Two Confirmations in July 2026
600 Payloads, No Human Operator
On July 8, 2026, Sysdig’s threat research team published a definitive analysis confirming “JADEPUFFER” as the first fully autonomous ransomware attack in history. A single LLM agent executed over 600 attack payloads — reconnaissance, credential theft, lateral movement, privilege escalation, persistence, database encryption — from breach to encryption, with no human commanding individual steps.
The entry point was CVE-2025-3248 in Langflow, an open-source AI workflow platform, CVSS score 9.8, patched only in version 1.3.0. The attacker used API keys stolen from victim logs. From there, the AI agent ran the entire chain. One technical detail stands out: the backdoor admin account “xadmin” was installed with a 31-second self-correction loop. The machine was debugging itself mid-attack.
The ending is stranger. The encryption key — base64(uuid4+uuid4) — was printed to stdout once and then gone. The Bitcoin address left in the ransom note is the example address from Bitcoin’s official documentation. Balance: zero. There was no mechanism to collect payment, no way to decrypt. JADEPUFFER wasn’t running a ransomware business. It was rehearsing one.
96 Hours, 2,000 Munitions
The second confirmation arrived in the same week, from a completely different direction. Cameron Stanley, the Pentagon’s Chief Digital and Artificial Intelligence Officer, submitted an affidavit in a Mississippi data center pollution lawsuit — arguing that xAI’s operations were “critical to national security.” Buried in that legal filing was the first official acknowledgment: in Operation Epic Fury, U.S. forces used the Grok Gov Model to strike over 2,000 independent targets with more than 2,000 munitions in 96 hours, with Grok analyzing battlefield data in real time to optimize strike sequencing.
The framing matters. This wasn’t a military press release. It was a court document written to protect a data center. The first formal record of AI-directed warfare was filed to win a real estate dispute.
Stanley’s affidavit describes Grok Gov Model as one of only four AI models capable of supporting national security applications and one of three that can operate in top-secret environments, integrated into the Project Maven intelligence system. The filing states the model has capabilities “found in no other frontier AI model” — verbatim. It can be deployed on classified systems and used by the DoD for any “lawful” purpose.
The Same Structural Shift
JADEPUFFER and the Grok combat deployment look like two separate stories — one is cybercrime, one is military action. But they share an identical structural feature: the AI agent no longer waits for a human to approve each decision node.
The assumed picture of AI weaponization was always human-in-the-loop: set the objective, AI advises, human decides. JADEPUFFER broke that assumption on the criminal side. The Grok affidavit broke it on the military side. Together, the conversation shifts from “what AI can theoretically do” to “what AI already did, last week.”
Caitlin Kalinowski, who resigned from OpenAI, wrote in her public statement: “Lethal autonomy without human authorization is a red line worth more discussion.” Nature’s March 2026 editorial called for no AI use in warfare before binding regulations exist. Both positions are reasonable. Both arrived after the fact.
The Patch Was Available. Nobody Installed It.
Sysdig’s report closes with a single recommendation: patch Langflow immediately. CVE-2025-3248 has been fixed since version 1.3.0. As of the JADEPUFFER confirmation, it remained widely unpatched across deployments.
JADEPUFFER didn’t exploit a zero-day. It walked through a door that had a CVE number, a patch version, and a published fix — just no one had installed it. The attacker’s model identity remains unknown.
— 邱柏宇
Related Posts
https://justfly.idv.tw/s/YQRgPaU