AI Runs the Whole Attack Now: The July 2026 Threat Roundup

Threat Intelligence Bulletin
Week of July 1 to July 8, 2026. Security researchers documented the first ransomware campaign run end to end by an autonomous AI agent, while a fresh SharePoint remote code execution flaw landed on CISA's exploited list. This bulletin covers what happened and what it means for how security programs are run. It contains analysis and context, not remediation instructions.
For two years the industry has debated how much artificial intelligence would change offensive operations. The debate mostly assumed AI would remain an assistant: drafting phishing lures, summarizing stolen data, speeding up a human operator who still made the decisions. The first full week of July 2026 produced the first credible evidence that the assumption is already out of date. An AI agent did not help run an attack. It ran the attack.
An AI agent ran a ransomware campaign by itself
The Sysdig Threat Research Team published its analysis of an operation it named JADEPUFFER, which it assesses to be the first documented case of ransomware driven end to end by a large language model agent rather than a human. The chain of events was not exotic. The agent gained initial access through a known remote code execution flaw in an internet-facing Langflow instance, harvested cloud and model-provider credentials, then used an older authentication bypass to reach a separate production database server and encrypt more than a thousand configuration items. Any competent human intruder could have done the same.
What made this different was the operator. According to Sysdig's write-up, the attack was saturated with the agent's own reasoning. More than 600 of the decoded payloads carried plain-language commentary explaining why each action was taken, including which database was the largest and which targets offered the best return. Human operators do not annotate disposable commands that way. Language models do it by default. When an administrator login failed, the agent diagnosed the cause and issued a working fix in roughly 31 seconds, with no human waiting to intervene. The system was not being steered. It was steering itself.
The significance is economic more than technical. As we argued when agentic exploitation first reached mid-market targets earlier this year, the meaningful shift is that the skill floor for running a campaign collapses to the cost of running an agent. When that agent operates on stolen model-provider credentials, the marginal cost to the attacker approaches zero. This is the machine-speed threat environment we described in our analysis of why a governance layer becomes the practical response to machine-speed threats. JADEPUFFER is that argument arriving as a case study.
Autonomous AI is now on both sides of your security program. Talk to a Z Cyber advisor about bringing AI systems into your risk register and control mapping.
Talk to an Advisor →A SharePoint flaw joined CISA's exploited list
The same week, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog. It is a remote code execution vulnerability in Microsoft SharePoint Server, caused by deserialization of untrusted data, carrying a CVSS score of 8.8. CISA logged it on July 1 with evidence of active exploitation and set a July 4 remediation deadline for federal civilian agencies. It affects SharePoint Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, and an authenticated attacker with basic site-member permissions can exploit it over a network. SharePoint has been a durable target: the threat actor tracked as Storm-2603 has exploited SharePoint flaws since mid-2025 to deploy ransomware.
On its own, one more SharePoint entry on the KEV list is routine. Its relevance here is the pairing. JADEPUFFER is a story about who runs the attack. The SharePoint entry, and the near two thousand new vulnerabilities catalogued across the industry in that same opening week of July, is a story about how fast the raw material for attacks appears and gets weaponized. A maximum-severity authentication bypass in SimpleHelp remote support software and a memory-disclosure flaw in Citrix NetScaler rounded out a week where the gap between disclosure and exploitation kept shrinking. Combine a faster supply of exploitable flaws with an operator that never sleeps, never tires, and costs almost nothing to run, and the defensive question changes from whether you can respond in time to whether your program is continuously current in the first place.
What actually connects these stories
The thread running through the week is governance of autonomous systems, and it points in two directions at once. The outward-facing direction is the one JADEPUFFER makes vivid: AI is now a category of adversary capability, not a rumor about the future. The inward-facing direction is quieter and, for most mid-market companies, more urgent. The same agent frameworks that JADEPUFFER weaponized are being deployed inside ordinary businesses right now, often without inventory, ownership, or oversight. An organization that cannot name the AI systems operating inside its own environment is in a poor position to reason about the ones being turned against it. This is the discovery problem we examined in our work on shadow AI discovery and governance, and this week raised its stakes.
Governance is what closes both gaps at once, and it is not a new discipline invented for AI. It is the existing discipline of accounting for systems, controls, and exposure, extended to cover models and agents. The Govern function of NIST CSF 2.0 exists precisely to make an organization state who owns risk, how it is tracked, and how decisions get made, and it applies to AI systems as readily as to any other. The NIST AI Risk Management Framework gives that structure specifically for AI: a way to map, measure, and manage the AI operating in and around your business rather than leaving it as an ungoverned surface. Frameworks do not stop an autonomous attacker. They ensure that when one arrives, you are reasoning from a current picture of your own environment instead of guessing.
What this means for how a program is run
The practical takeaway for security leaders is not a new tool to buy. It is a shift in what a security program has to prove. Two points-in-time assessments a year cannot describe an environment where exploitation windows are measured in hours and the adversary is an agent that adapts in real time. The value moves to continuous monitoring, to evidence that stays current, and to a control picture that reflects the environment today rather than at the last audit. That is the case for treating security as an operating function rather than a periodic project, delivered through continuous executive advisory paired with a platform that keeps the picture live.
It also means AI systems belong in the same places everything else already lives. In the risk register, so exposure from autonomous systems is named and owned. In the control mapping, so AI use is tied to the frameworks you answer to. In the board reporting, so leadership understands that AI now sits on both sides of the program. This is the work of AI governance and of continuous threat exposure management, and the week of JADEPUFFER is the clearest argument yet for doing it before an incident forces the question.
The headline of the week is that an AI ran an entire ransomware campaign by itself. The more durable lesson is quieter. The organizations best placed for this environment are not the ones with the most tools. They are the ones that can prove their controls work on any given day, that know which AI systems operate inside their walls, and that treat governance as a live operating function rather than an annual event. That standard held before this week. JADEPUFFER simply made the cost of ignoring it easier to see.
Want a program that can prove its controls work on any given day, not just at audit time? Talk to Z Cyber about continuous advisory and AI governance.
Talk to an Advisor →Related resources
Frequently Asked Questions
What is JADEPUFFER?
JADEPUFFER is the name Sysdig's Threat Research Team gave to what it assesses as the first documented ransomware operation driven end to end by an autonomous large language model agent, rather than by a human operator running tools. The agent gained initial access through a known Langflow remote code execution flaw, harvested credentials, pivoted to a production database, and executed a destructive extortion playbook, with more than 600 of its own commands annotated in plain language explaining its reasoning.
Does agentic AI ransomware change what defenders need to worry about?
It changes the economics more than the mechanics. The individual techniques JADEPUFFER used were not new. What is new is that an autonomous agent chained them together, diagnosed its own failures, and fixed a broken login in about 31 seconds without a human in the loop. That collapses the skill and time required to run a campaign, which is why governance of both attacker-grade and internally deployed AI is moving from a compliance checkbox to an operational concern.
What is CVE-2026-45659 and why does it matter?
CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server caused by deserialization of untrusted data, carrying a CVSS score of 8.8. CISA added it to its Known Exploited Vulnerabilities catalog on July 1, 2026 with evidence of active exploitation, and set a July 4 remediation deadline for federal civilian agencies. It affects SharePoint Subscription Edition, 2019, and 2016, and an authenticated attacker with basic site permissions can exploit it.
How does AI governance relate to ransomware defense?
Ransomware defense has always depended on knowing your attack surface, your controls, and your exposure. AI governance extends that same discipline to autonomous systems: the models and agents deployed inside your own environment, the AI-driven tooling now used against you, and the frameworks that describe acceptable use. The NIST AI Risk Management Framework and the Govern function of NIST CSF 2.0 give organizations a structured way to account for these systems rather than treating them as ungoverned.
What should mid-market security leaders take from this week?
Two things. First, the pace of both exploitation and disclosure is accelerating, so the value of continuous monitoring and current evidence rises relative to point-in-time assessments. Second, autonomous AI is now on both sides of the ledger, which means AI systems belong in the same risk register, control mapping, and board reporting as everything else. Programs that can prove their controls work on any given day, not just at audit time, are the ones positioned for this environment.
Subscribe for Updates
Get cybersecurity insights delivered to your inbox.


