An autonomous AI agent ran a full ransomware attack through an unpatched AI workflow tool this week. AI orchestration just became load bearing infrastructure, and most teams have not started treating it that way.

The week's real story was not a new model or a cheaper price. It was the moment AI orchestration stopped behaving like a dev toy and started acting like production infrastructure, with all the security, capital, and dependency risk that word carries.

The catalyst was Jadepuffer, the first documented autonomous AI ransomware attack, published this week by Sysdig's threat team. An AI agent found an unpatched Langflow server on the open internet, swept its environment for API keys across every major AI and cloud provider, moved laterally into a production database, encrypted 1,342 records, and destroyed the originals. No human directed a single step. The encryption key was generated once, printed to a log, and thrown away, which means paying the ransom recovers nothing. The plain-English comments the agent left in its own code, narrating what it was doing and why, are the part I cannot stop thinking about. The attacker was a piece of software reasoning about a company it had never seen before. That is a new category of thing.

There is a comforting way to file this story, and it is wrong. The comforting way is to say Jadepuffer was a security incident, forward it to the CISO, and move on. It was not just a security incident. It was a reveal about what AI orchestration tools actually are. Every team that stood up Langflow, or n8n with AI connectors, or any of the drag and drop agent builders that made the rounds this year, put those tools on servers that hold the API keys to every AI account they own. Those servers were treated like sandbox software, patched on the same schedule as a Notion integration, when in fact they hold the credentials that let an attacker rent unlimited compute on your dime and pivot into your data. This week, that assumption cost somebody 1,342 records they will never see again.

Two more stories from the same seven days sit on top of this frame and get more legible when you put them next to it. Crusoe raised roughly $3 billion at a $30 billion valuation to keep building the physical compute layer everyone else's AI runs on. And the Fable 5 shutdown kept working its way through executive teams, because a frontier model going dark for 19 days on a government order does not stop being a lesson after a news cycle. Put Jadepuffer in the middle of those two and the shape becomes clear. Below the shiny app-layer commoditization we spent the spring celebrating, the substrate is doing three things at once: consolidating into fewer and larger builders, becoming legally conditional, and becoming an attack surface. Cheap capability on top, infrastructure risk underneath. That is the sentence, and the risk half of it kept moving this week while nobody was watching the price half.

Underneath that headline, the quieter theme of point-solution agents kept advancing. Synthflow put a voice agent on the phone that answers, qualifies, and books at 2 a.m. Fyxer took the inbox triage and reply drafting that an executive assistant used to carry. Neither is exotic. Both are honest about what job they replace, and both are priced against the salary they stand in for. If I had one strategic note for a leader on how to evaluate these tools in July, it would not be "what can it do." It would be "what job does it finish without me in the loop, and what does it cost per job compared to a human doing the same job at your average close rate." That is the question that has a budget answer. It is also the one that quietly promotes each of these tools from productivity software to a line item in your operating model, which is the same promotion Jadepuffer just forced onto the orchestration layer underneath them.

And in the same seven days, the open source side of the story kept eating the low end of the SaaS category. Flowise is a drag and drop agent builder without a per-editor Voiceflow seat. Docling turns messy PDFs and forms into clean structured data without an AWS Textract page bill. Both are excellent tools. Both are also, if you install them and forget about them, exactly the shape of Jadepuffer's next entry point. That is not a knock on the tools. It is the natural consequence of powerful, free, self-hostable software becoming the default for production workloads, run by teams that do not have a security engineer on staff. If you deploy the open source infrastructure, you also inherit the patch cycle and the access review that the SaaS vendor used to do for you, and that inheritance is not free.

Here is the contrarian read. The AI security story of the week is going to be filed under "AI attackers," and the framing will imply that the new bad actor is the AI itself. That misses it. The novel actor was software, but the failure mode was not exotic. It was the same failure mode that ate every insecure WordPress site in 2013: an internet-exposed piece of infrastructure with a public vulnerability and an unpatched deployment. What is new is not the attack. It is that AI tools have been onboarded by growth teams and marketing operations and agencies with a lower bar than any category before them, because the tools looked like productivity software and behaved like Zapier. They are not Zapier. They are servers with your credentials on them. The story to tell your team this week is not "AI is scary now." It is "the tools we bought for the marketing team are load bearing, and they need to be treated like it." That is a less exciting headline. It is the one that will actually change how you buy.

If you only have time for one thing this week, run a credential and patch audit on every AI orchestration tool anyone on your team has deployed. That means every Langflow, n8n, Flowise, Zapier AI, or similar server reachable from the public internet, plus every self-hosted agent builder someone stood up during a hackathon and forgot about. For each one, confirm the software is current, confirm no default credentials are in place, and rotate every API key stored in that environment. Then decide whether that server needs to be internet-facing at all, or whether it can sit behind a VPN. Most cannot justify the exposure once you ask the question out loud. This is a couple of hours of work, spread across whoever owns the tools. It is the cheapest insurance you will buy this quarter, and its value is that the next Jadepuffer, which will not be called Jadepuffer, does not find you at 2 a.m. on a weekend. Do not schedule the audit. Do it this week.

The week's headline was that an AI attacked a database. The week's actual news was that AI orchestration became the load bearing part of a lot of small companies' operations while nobody was calling it that out loud. The tools got in the door as productivity software, and they stayed as infrastructure. Infrastructure has a patch cycle. Ours does not have one yet.