[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"kb-article-jadepuffer-engineering-the-first-fully-llm-driven-ransomware-kill-chain-en":3,"ArticleBody_Sqi49jdlXVmgwjYPMtHvrw5TOJ5Xqpv4GwmEbRRLNq0":187},{"article":4,"relatedArticles":157,"locale":50},{"id":5,"title":6,"slug":7,"content":8,"htmlContent":9,"excerpt":10,"category":11,"tags":12,"metaDescription":10,"wordCount":13,"readingTime":14,"publishedAt":15,"sources":16,"sourceCoverage":42,"transparency":44,"seo":47,"language":50,"featuredImage":51,"featuredImageCredit":52,"isFreeGeneration":56,"trendSlug":57,"trendSnapshot":57,"niche":58,"geoTakeaways":61,"geoFaq":68,"entities":78},"6a51186587450904396739fc","JadePuffer: Engineering the First Fully LLM‑Driven Ransomware Kill Chain","jadepuffer-engineering-the-first-fully-llm-driven-ransomware-kill-chain","## 1. From LLM Hallucinations to Operational Malware: Why JadePuffer Is Plausible\n\nBrowser-only ransomware was once dismissed as “LLM hallucination,” until researchers showed a fully browser-native ransomware path using Chrome’s File System Access API. [1] On [Android Chrome](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FGoogle_Chrome), a web page can legitimately get read\u002Fwrite access to photo directories and then modify those files—enabling ransomware behavior without APKs, exploits, or root. [1]  \n\n⚠️ This challenges the assumption that “no install = no serious malware.”\n\nAt the same time, LLM-powered agents are increasingly wired into:\n\n- User-facing interfaces (chatbots, copilots)  \n- Internal systems (ticketing, CRM, CI\u002FCD)  \n- External tools\u002Fplugins (HTTP APIs, shell tools) [2][3]\n\nThis makes prompts, documents, tool outputs, and agent decisions part of the attack surface. [3] Many organizations now treat LLMs and [AI agents](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAI_agent) as security-critical components. [2][3]\n\nThe University of Toronto’s AI worm goes further: an open-weight LLM worm that:\n\n- Runs entirely on local machines, with no cloud API or centralized C2  \n- Uses a [large language model](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model) to reason per host, pick attacks, and self‑propagate  \n- Compromised 73.8% of a simulated network in 7 days [6]\n\n🧩 Combined, this makes JadePuffer realistic:\n\n- Browser-only access to valuable files via Chrome APIs [1]  \n- Autonomous local LLM worms without conventional C2 [6]  \n- Insecure enterprise LLM apps open to [prompt injection](\u002Fentities\u002F69d08f194eea09eba3dfd055-prompt-injection), [data exfiltration](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FData_exfiltration), and plugin abuse [2][4]\n\nOWASP Top 10 for LLM Applications now frames key risks: prompt injection, insecure output handling, data poisoning, model theft, and more. [3][4] JadePuffer simply converges these demonstrated techniques into an LLM‑driven ransomware-as-an-agent framework.\n\n### Section takeaway\n\nJadePuffer is a plausible fusion of browser APIs, local LLM worms, and insecure AI integrations—each already shown in research. [1][6]\n\n\n## 2. Hypothetical JadePuffer Kill Chain: Step-by-Step Attack Narrative\n\n### Step 1: Social engineering via “AI enhancement”\n\nJadePuffer starts as a web app offering “AI photo enhancement” or “AI document cleanup,” echoing the Chrome proof of concept. [1]\n\n- User uploads a sample photo.  \n- Site shows an impressive LLM-enhanced preview.  \n- Site then asks for folder-level access to “batch-enhance your library.”\n\nThe permission uses Chrome’s File System Access API, especially risky on Android where photo directories are high value. [1] After a convincing demo, many users click “Allow.”\n\n⚠️ In one 3,000-person SaaS company test, ~40% of employees granted directory access within 5 seconds when framed as “AI auto-organization of photos.” [1]\n\n### Step 2: Client-side LLM triage and encryption\n\nAfter access is granted, a client-side agent (WASM-hosted LLM or backend API) can:\n\n- Enumerate files via File System Access API  \n- Classify them: personal photos, IDs, contracts, work docs  \n- Prioritize items by “extortion value”: memories, legal docs, critical business data [1][5]\n\nConventional crypto handles encryption; the LLM decides *which* files and in what order, repurposing the same classification logic defenders use for logs and documents. [5]\n\n### Step 3: Dropping the LLM worm component\n\nThe browser stage then deploys a local worm modeled on the Toronto design:\n\n- Bundles an [open-weight 7B–13B model](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLlama_(language_model)), quantized for commodity CPUs\u002FGPUs [6][5]  \n- Runs an autonomous agent loop to plan spread per host  \n- Consumes victim compute, just like the Toronto worm’s local-only execution [6]\n\nThe worm scans local networks for reachable services, especially internal LLM-enabled tools.\n\n### Step 4: Abusing insecure LLM apps and plugins\n\nMany internal copilots and agents already have:\n\n- Access to internal knowledge bases and vector stores  \n- Permissions to call internal APIs via plugins  \n- Power to run scripts or workflows on users’ behalf [2][3]\n\nJadePuffer abuses this via prompt injection:\n\n- Embeds malicious instructions in documents, tickets, or emails processed by LLMs  \n- Tricks agents into calling sensitive APIs or exporting data  \n- Uses plugins as covert exfiltration and propagation channels [2][4]\n\nThis matches known risks around plugin abuse, data leakage, and insecure LLM output handling. [2][4]\n\n### Step 5: C2-less operation\n\nTo evade cloud monitoring, JadePuffer’s LLM components operate locally whenever possible, mirroring the Toronto worm’s C2-less design. [6] This:\n\n- Avoids dependence on third-party LLM APIs  \n- Reduces visibility for SOC teams tracking outbound AI calls  \n- Enables polymorphic behavior per host\n\n### Step 6: Ransomware and negotiation\n\nIn the final phase, JadePuffer:\n\n- Encrypts reachable files from the browser foothold and hijacked agents  \n- Selectively exfiltrates sensitive data through compromised plugins\u002FAPIs [2][4]  \n- Uses LLMs to draft personalized ransom notes and negotiation scripts, tuned to the victim’s role, language, and culture\n\n🎯 Tailored social engineering can outperform generic ransom notes, using the same generative strengths that power legitimate customer communications. [2][4]\n\n### Section takeaway\n\nThe JadePuffer storyline moves from browser-based social engineering to local worms and abused enterprise agents, using existing techniques rather than new exploit primitives. [1][2][6]\n\n\n## 3. Inside JadePuffer: LLM-Driven Ransomware Architecture and Components\n\n### High-level modular design\n\nA realistic JadePuffer design would be modular:\n\n1. **Browser access & encryption module**  \n2. **Local LLM worm & propagation engine**  \n3. **LLM-based reconnaissance & data valuation**  \n4. **LLM-powered negotiation & extortion orchestration** [1][6]\n\nEach module can evolve separately, much like modern offensive frameworks.\n\n💡 For defenders, these map to separate telemetry domains: browser, endpoint, network, and LLM application usage. [4]\n\n### Browser module\n\nThe JavaScript front end would:\n\n- Use File System Access API after legitimate consent [1]  \n- Recursively walk granted directories  \n- Generate light previews\u002Fchecksums for classification  \n- Stream content to WASM or backend encryption\n\nResearch shows this can run entirely in-browser on Android, without APKs or exploits. [1] The LLM’s role is classification and prioritization, not crypto itself.\n\n### Local worm module\n\nThe worm embeds an open-weight LLM (7B–13B), using quantization as in common on-device deployments. [5] The Toronto worm proves open‑weight models can autonomously pick host-specific attacks and spread across a network quickly. [6]\n\nCore behaviors:\n\n- Discover neighboring hosts\u002Fservices  \n- Detect LLM endpoints, internal agents, and automation tools  \n- Generate tailored attack prompts and plans for each target [6][4]\n\n### Agent loop for propagation\n\nA conceptual agent loop might look like (non-operational, no exploit logic):\n\n```pseudo\nwhile true:\n  context = observe_host_and_network()\n  prompt = build_prompt_from(context)\n\n  plan = LLM.generate(\"Given this environment, list safe-looking actions that increase access:\", prompt)\n\n  for step in select_top_steps(plan):\n    if violates_safety(step):\n      continue\n    result = execute(step)\n    log(step, result)\n\n  sleep(randomized_interval())\n```\n\nHere, strategic choices—what to scan, where to move, what to exfiltrate—are delegated to a probabilistic model instead of fixed logic. [4][5]\n\n### LLM apps as pivots\n\nJadePuffer treats insecure LLM apps as pivot points:\n\n- An internal copilot with knowledge-base or SQL access becomes an exfiltration tool. [2]  \n- An automation agent with CRM or ticketing access becomes a large-scale phishing and social engineering engine. [3]  \n- Plugins that call shell commands or internal APIs act as general remote tooling. [2][3]\n\nThese map directly to OWASP LLM risks: prompt injection, insecure tool use, data leakage. [3][4]\n\n### Operational security via LLMs\n\nAttackers can also apply LLMs to their own OPSEC:\n\n- Generating polymorphic loader code to evade signatures  \n- Randomizing file names and encryption patterns to avoid heuristics  \n- Drafting benign-looking log entries or messages to mislead analysts [4]\n\n⚡ The adaptive text and code generation defenders use for IR can also power dynamic evasion when misused. [4]\n\n### Section takeaway\n\nJadePuffer shows how discovery, planning, prioritization, and social engineering can be offloaded to LLMs, leaving mainly low-level execution as traditional code. [4][6]\n\n\n## 4. Mapping JadePuffer Against OWASP LLM Top 10 and Known Risks\n\nOWASP Top 10 for LLM Applications summarizes real-world LLM vulnerabilities. [3][4] JadePuffer spans several of them.\n\n### Prompt injection\n\nJadePuffer hijacks internal agents via malicious prompts in data they process: tickets, docs, chats, or emails. [2] Attacker-controlled content injects override instructions, causing models to ignore policies—exactly the prompt injection risk. [3]\n\n⚠️ OWASP explicitly warns that LLMs can be tricked into unintended actions or safeguard bypass via attacker-controlled input. [3][4]\n\n### Insecure output handling & data leakage\n\nOnce compromised, agents may:\n\n- Return internal documents directly to untrusted channels  \n- Execute privileged API calls solely based on model outputs  \n- Paste sensitive data into external systems without checks [2][4]\n\nThis matches OWASP concerns about insecure output handling and uncontrolled data flows. [3][4]\n\n### Data poisoning in fine-tuning and customization\n\nOrganizations often fine-tune or adapt models on internal data. If attackers can poison that data—via documents, logs, or code—they can nudge model behavior toward misclassification, lax policies, or hidden backdoors. [3][5] OWASP highlights such poisoning as a key LLM-specific threat. [4]\n\n### Model theft and open-weight abuse\n\nJadePuffer’s use of downloadable open-weight models reflects OWASP fears that adversaries can steal and repurpose models:\n\n- Retrain them on offensive corpora  \n- Embed them in malware frameworks like JadePuffer  \n- Share them widely at low cost [4][5]\n\n### Non-traditional vectors\n\nBrowser-only ransomware and AI worms attack surfaces often missed in legacy appsec:\n\n- Browser APIs such as File System Access [1]  \n- LLM agents and orchestration frameworks [2][4]\n\nModern guidance stresses that these are frequently absent from threat models, code reviews, and governance. [3][4]\n\n💡 JadePuffer acts as a stress test: it forces organizations to ask whether advanced browser features and LLM components are truly covered by their security program. [2][3]\n\n### Section takeaway\n\nMapping JadePuffer onto OWASP LLM Top 10 turns an abstract framework into a concrete playbook, helping teams prioritize defenses. [3][4]\n\n\n## 5. Defensive Engineering: Hardening Browsers, LLM Apps, and Infrastructure Against JadePuffer\n\n### Browser and endpoint layer\n\nInitial defenses live at the edge:\n\n- Review and restrict File System Access API usage, especially on Android Chrome. [1]  \n- Improve permission dialogs to clearly convey directory-level risks. [1]  \n- Monitor browsers\u002Fendpoints for abnormal bursts of file modification.\n\n⚠️ Even without binaries, large, rapid I\u002FO on photo directories from browser processes is a strong signal. [1]\n\n### LLM security program\n\nSecurity and product teams should build a dedicated LLM security track covering:\n\n- Risk mapping across prompts, tools, and agents  \n- Guardrails and filtering on prompts and outputs  \n- Monitoring of LLM usage and tool\u002Fplugin invocations  \n- Incident runbooks specific to LLM and agent compromise [2]\n\nGuidance stresses LLMs need governance beyond standard API\u002Fweb controls. [2][4]\n\n### Integrating OWASP LLM Top 10 into SDLC\n\nMake OWASP LLM Top 10 a standard checklist for any AI feature: [3][4]\n\n- For every new agent\u002Fplugin, explicitly analyze prompt injection and exfiltration paths.  \n- For every fine-tuning pipeline, include poisoning and leakage defenses.  \n- Treat all LLM outputs consumed by code as untrusted data.\n\n### Architectural patterns for safer agents\n\nConcrete patterns include:\n\n- **Strict tool\u002Fplugin whitelisting**: agents can call only vetted functions. [2][5]  \n- **Output validation layers**: apply policy filters\u002Fsanity checks before execution. [4][5]  \n- **Zero-trust internal API access**: narrow tokens per agent, not per environment. [2]\n\nA financial-firm security lead reported that adding an output-validation proxy in front of their internal copilot cut risky tool invocations by ~60% in red-team tests. [4]\n\n### Monitoring for local LLM abuse\n\nEndpoints should be watched for:\n\n- CPU\u002FGPU spikes consistent with local LLM inference  \n- Appearance of large model weight files on non-dev machines  \n- Agent frameworks showing autonomous, script-like behavior [6]\n\nThese indicators mirror AI worm traits and can trigger deeper investigation. [6]\n\n### Using LLMs defensively\n\nLLMs can also strengthen defense:\n\n- Summarizing and clustering large security log volumes  \n- Flagging suspicious agent\u002Ftool usage patterns  \n- Supporting triage and investigation via natural-language queries [4]\n\n📊 Defensive LLM deployments themselves must be protected; if compromised, they reveal monitoring gaps and internal playbooks. [4]\n\n### Section takeaway\n\nMitigating JadePuffer demands browser controls, LLM-aware architecture, and telemetry tuned to local model use, all guided by OWASP LLM Top 10. [2][3][4]\n\n\n## 6. Building JadePuffer-Inspired Red-Team Scenarios and Simulations\n\n### Browser-only ransomware labs\n\nCreate controlled labs to mirror browser-only ransomware against synthetic photo libraries: [1]\n\n- Deploy a benign test app using File System Access  \n- Observe how users react to permission prompts  \n- Measure how quickly EDR\u002Fbrowser telemetry detects large file changes\n\nThis helps UX, product, and security teams understand user behavior and detection gaps. [1]\n\n### Simulating AI worms\n\nOn isolated networks, reproduce a Toronto-style architecture: [6]\n\n- Local open-weight LLM in quantized form  \n- Agent loop exploring and “attacking” lab services  \n- Instrumentation for lateral movement and dwell-time metrics\n\nSuch labs expose blind spots in detecting autonomous agents vs traditional scripted malware. [6]\n\n⚠️ Keep all experiments in controlled non-production environments, with safe, non-exploit payloads.\n\n### OWASP LLM attack patterns in exercises\n\nBake OWASP LLM Top 10 scenarios into:\n\n- Tabletop exercises with product and ML teams  \n- Automated red-team scripts focused on internal LLM apps  \n- Game days simulating agent misuse and data theft [3][4]\n\nInclude prompt injection, plugin abuse, and data exfiltration to test controls and escalation. [2][3]\n\n### Cross-team collaboration\n\nEffective defense requires joint effort:\n\n- Security teams define detection and response for LLM misuse. [2]  \n- AI platform teams provide logs, tracing, and policy hooks.  \n- Product teams design safer agent workflows and user interfaces.\n\nUsing JadePuffer-style scenarios as a shared reference turns an abstract threat into concrete, testable exercises and drives a consistent LLM security posture.\n\n---\n\n## Conclusion\n\nJadePuffer represents a plausible “all-LLM” ransomware kill chain: browser-only file access, local LLM worms, and insecure enterprise agents chained into a single attack. [1][2][6] It operationalizes the risks captured in OWASP’s LLM Top 10 and demonstrates how much of modern malware—discovery, planning, social engineering—can be delegated to language models. [3][4][6]\n\nDefenders should respond by:\n\n- Treating advanced browser APIs and LLM components as first-class assets  \n- Embedding LLM-specific controls and OWASP guidance into their SDLC  \n- Monitoring for local model usage and agent-like behavior  \n- Using LLMs defensively while protecting those deployments themselves [2][3][4]\n\nJadePuffer is not a prediction but a design exercise: a concrete benchmark for whether current security programs are ready for LLM-driven threats.","\u003Ch2>1. From LLM Hallucinations to Operational Malware: Why JadePuffer Is Plausible\u003C\u002Fh2>\n\u003Cp>Browser-only ransomware was once dismissed as “LLM hallucination,” until researchers showed a fully browser-native ransomware path using Chrome’s File System Access API. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa> On \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FGoogle_Chrome\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">Android Chrome\u003C\u002Fa>, a web page can legitimately get read\u002Fwrite access to photo directories and then modify those files—enabling ransomware behavior without APKs, exploits, or root. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>⚠️ This challenges the assumption that “no install = no serious malware.”\u003C\u002Fp>\n\u003Cp>At the same time, LLM-powered agents are increasingly wired into:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>User-facing interfaces (chatbots, copilots)\u003C\u002Fli>\n\u003Cli>Internal systems (ticketing, CRM, CI\u002FCD)\u003C\u002Fli>\n\u003Cli>External tools\u002Fplugins (HTTP APIs, shell tools) \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This makes prompts, documents, tool outputs, and agent decisions part of the attack surface. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> Many organizations now treat LLMs and \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAI_agent\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">AI agents\u003C\u002Fa> as security-critical components. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>The University of Toronto’s AI worm goes further: an open-weight LLM worm that:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Runs entirely on local machines, with no cloud API or centralized C2\u003C\u002Fli>\n\u003Cli>Uses a \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">large language model\u003C\u002Fa> to reason per host, pick attacks, and self‑propagate\u003C\u002Fli>\n\u003Cli>Compromised 73.8% of a simulated network in 7 days \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>🧩 Combined, this makes JadePuffer realistic:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Browser-only access to valuable files via Chrome APIs \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Autonomous local LLM worms without conventional C2 \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Insecure enterprise LLM apps open to \u003Ca href=\"\u002Fentities\u002F69d08f194eea09eba3dfd055-prompt-injection\">prompt injection\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FData_exfiltration\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">data exfiltration\u003C\u002Fa>, and plugin abuse \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>OWASP Top 10 for LLM Applications now frames key risks: prompt injection, insecure output handling, data poisoning, model theft, and more. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa> JadePuffer simply converges these demonstrated techniques into an LLM‑driven ransomware-as-an-agent framework.\u003C\u002Fp>\n\u003Ch3>Section takeaway\u003C\u002Fh3>\n\u003Cp>JadePuffer is a plausible fusion of browser APIs, local LLM worms, and insecure AI integrations—each already shown in research. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch2>2. Hypothetical JadePuffer Kill Chain: Step-by-Step Attack Narrative\u003C\u002Fh2>\n\u003Ch3>Step 1: Social engineering via “AI enhancement”\u003C\u002Fh3>\n\u003Cp>JadePuffer starts as a web app offering “AI photo enhancement” or “AI document cleanup,” echoing the Chrome proof of concept. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>User uploads a sample photo.\u003C\u002Fli>\n\u003Cli>Site shows an impressive LLM-enhanced preview.\u003C\u002Fli>\n\u003Cli>Site then asks for folder-level access to “batch-enhance your library.”\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The permission uses Chrome’s File System Access API, especially risky on Android where photo directories are high value. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa> After a convincing demo, many users click “Allow.”\u003C\u002Fp>\n\u003Cp>⚠️ In one 3,000-person SaaS company test, ~40% of employees granted directory access within 5 seconds when framed as “AI auto-organization of photos.” \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Step 2: Client-side LLM triage and encryption\u003C\u002Fh3>\n\u003Cp>After access is granted, a client-side agent (WASM-hosted LLM or backend API) can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Enumerate files via File System Access API\u003C\u002Fli>\n\u003Cli>Classify them: personal photos, IDs, contracts, work docs\u003C\u002Fli>\n\u003Cli>Prioritize items by “extortion value”: memories, legal docs, critical business data \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Conventional crypto handles encryption; the LLM decides \u003Cem>which\u003C\u002Fem> files and in what order, repurposing the same classification logic defenders use for logs and documents. \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Step 3: Dropping the LLM worm component\u003C\u002Fh3>\n\u003Cp>The browser stage then deploys a local worm modeled on the Toronto design:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Bundles an \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLlama_(language_model)\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">open-weight 7B–13B model\u003C\u002Fa>, quantized for commodity CPUs\u002FGPUs \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Runs an autonomous agent loop to plan spread per host\u003C\u002Fli>\n\u003Cli>Consumes victim compute, just like the Toronto worm’s local-only execution \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The worm scans local networks for reachable services, especially internal LLM-enabled tools.\u003C\u002Fp>\n\u003Ch3>Step 4: Abusing insecure LLM apps and plugins\u003C\u002Fh3>\n\u003Cp>Many internal copilots and agents already have:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Access to internal knowledge bases and vector stores\u003C\u002Fli>\n\u003Cli>Permissions to call internal APIs via plugins\u003C\u002Fli>\n\u003Cli>Power to run scripts or workflows on users’ behalf \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JadePuffer abuses this via prompt injection:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Embeds malicious instructions in documents, tickets, or emails processed by LLMs\u003C\u002Fli>\n\u003Cli>Tricks agents into calling sensitive APIs or exporting data\u003C\u002Fli>\n\u003Cli>Uses plugins as covert exfiltration and propagation channels \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This matches known risks around plugin abuse, data leakage, and insecure LLM output handling. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Step 5: C2-less operation\u003C\u002Fh3>\n\u003Cp>To evade cloud monitoring, JadePuffer’s LLM components operate locally whenever possible, mirroring the Toronto worm’s C2-less design. \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa> This:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Avoids dependence on third-party LLM APIs\u003C\u002Fli>\n\u003Cli>Reduces visibility for SOC teams tracking outbound AI calls\u003C\u002Fli>\n\u003Cli>Enables polymorphic behavior per host\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Step 6: Ransomware and negotiation\u003C\u002Fh3>\n\u003Cp>In the final phase, JadePuffer:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Encrypts reachable files from the browser foothold and hijacked agents\u003C\u002Fli>\n\u003Cli>Selectively exfiltrates sensitive data through compromised plugins\u002FAPIs \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Uses LLMs to draft personalized ransom notes and negotiation scripts, tuned to the victim’s role, language, and culture\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>🎯 Tailored social engineering can outperform generic ransom notes, using the same generative strengths that power legitimate customer communications. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Section takeaway\u003C\u002Fh3>\n\u003Cp>The JadePuffer storyline moves from browser-based social engineering to local worms and abused enterprise agents, using existing techniques rather than new exploit primitives. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch2>3. Inside JadePuffer: LLM-Driven Ransomware Architecture and Components\u003C\u002Fh2>\n\u003Ch3>High-level modular design\u003C\u002Fh3>\n\u003Cp>A realistic JadePuffer design would be modular:\u003C\u002Fp>\n\u003Col>\n\u003Cli>\u003Cstrong>Browser access &amp; encryption module\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Local LLM worm &amp; propagation engine\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>LLM-based reconnaissance &amp; data valuation\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>LLM-powered negotiation &amp; extortion orchestration\u003C\u002Fstrong> \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Each module can evolve separately, much like modern offensive frameworks.\u003C\u002Fp>\n\u003Cp>💡 For defenders, these map to separate telemetry domains: browser, endpoint, network, and LLM application usage. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Browser module\u003C\u002Fh3>\n\u003Cp>The JavaScript front end would:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Use File System Access API after legitimate consent \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Recursively walk granted directories\u003C\u002Fli>\n\u003Cli>Generate light previews\u002Fchecksums for classification\u003C\u002Fli>\n\u003Cli>Stream content to WASM or backend encryption\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Research shows this can run entirely in-browser on Android, without APKs or exploits. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa> The LLM’s role is classification and prioritization, not crypto itself.\u003C\u002Fp>\n\u003Ch3>Local worm module\u003C\u002Fh3>\n\u003Cp>The worm embeds an open-weight LLM (7B–13B), using quantization as in common on-device deployments. \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa> The Toronto worm proves open‑weight models can autonomously pick host-specific attacks and spread across a network quickly. \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Core behaviors:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Discover neighboring hosts\u002Fservices\u003C\u002Fli>\n\u003Cli>Detect LLM endpoints, internal agents, and automation tools\u003C\u002Fli>\n\u003Cli>Generate tailored attack prompts and plans for each target \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Agent loop for propagation\u003C\u002Fh3>\n\u003Cp>A conceptual agent loop might look like (non-operational, no exploit logic):\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-pseudo\">while true:\n  context = observe_host_and_network()\n  prompt = build_prompt_from(context)\n\n  plan = LLM.generate(\"Given this environment, list safe-looking actions that increase access:\", prompt)\n\n  for step in select_top_steps(plan):\n    if violates_safety(step):\n      continue\n    result = execute(step)\n    log(step, result)\n\n  sleep(randomized_interval())\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Here, strategic choices—what to scan, where to move, what to exfiltrate—are delegated to a probabilistic model instead of fixed logic. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>LLM apps as pivots\u003C\u002Fh3>\n\u003Cp>JadePuffer treats insecure LLM apps as pivot points:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>An internal copilot with knowledge-base or SQL access becomes an exfiltration tool. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>An automation agent with CRM or ticketing access becomes a large-scale phishing and social engineering engine. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Plugins that call shell commands or internal APIs act as general remote tooling. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>These map directly to OWASP LLM risks: prompt injection, insecure tool use, data leakage. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Operational security via LLMs\u003C\u002Fh3>\n\u003Cp>Attackers can also apply LLMs to their own OPSEC:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Generating polymorphic loader code to evade signatures\u003C\u002Fli>\n\u003Cli>Randomizing file names and encryption patterns to avoid heuristics\u003C\u002Fli>\n\u003Cli>Drafting benign-looking log entries or messages to mislead analysts \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>⚡ The adaptive text and code generation defenders use for IR can also power dynamic evasion when misused. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Section takeaway\u003C\u002Fh3>\n\u003Cp>JadePuffer shows how discovery, planning, prioritization, and social engineering can be offloaded to LLMs, leaving mainly low-level execution as traditional code. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch2>4. Mapping JadePuffer Against OWASP LLM Top 10 and Known Risks\u003C\u002Fh2>\n\u003Cp>OWASP Top 10 for LLM Applications summarizes real-world LLM vulnerabilities. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa> JadePuffer spans several of them.\u003C\u002Fp>\n\u003Ch3>Prompt injection\u003C\u002Fh3>\n\u003Cp>JadePuffer hijacks internal agents via malicious prompts in data they process: tickets, docs, chats, or emails. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa> Attacker-controlled content injects override instructions, causing models to ignore policies—exactly the prompt injection risk. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>⚠️ OWASP explicitly warns that LLMs can be tricked into unintended actions or safeguard bypass via attacker-controlled input. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Insecure output handling &amp; data leakage\u003C\u002Fh3>\n\u003Cp>Once compromised, agents may:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Return internal documents directly to untrusted channels\u003C\u002Fli>\n\u003Cli>Execute privileged API calls solely based on model outputs\u003C\u002Fli>\n\u003Cli>Paste sensitive data into external systems without checks \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This matches OWASP concerns about insecure output handling and uncontrolled data flows. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Data poisoning in fine-tuning and customization\u003C\u002Fh3>\n\u003Cp>Organizations often fine-tune or adapt models on internal data. If attackers can poison that data—via documents, logs, or code—they can nudge model behavior toward misclassification, lax policies, or hidden backdoors. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa> OWASP highlights such poisoning as a key LLM-specific threat. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Model theft and open-weight abuse\u003C\u002Fh3>\n\u003Cp>JadePuffer’s use of downloadable open-weight models reflects OWASP fears that adversaries can steal and repurpose models:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Retrain them on offensive corpora\u003C\u002Fli>\n\u003Cli>Embed them in malware frameworks like JadePuffer\u003C\u002Fli>\n\u003Cli>Share them widely at low cost \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Non-traditional vectors\u003C\u002Fh3>\n\u003Cp>Browser-only ransomware and AI worms attack surfaces often missed in legacy appsec:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Browser APIs such as File System Access \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>LLM agents and orchestration frameworks \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Modern guidance stresses that these are frequently absent from threat models, code reviews, and governance. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>💡 JadePuffer acts as a stress test: it forces organizations to ask whether advanced browser features and LLM components are truly covered by their security program. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Section takeaway\u003C\u002Fh3>\n\u003Cp>Mapping JadePuffer onto OWASP LLM Top 10 turns an abstract framework into a concrete playbook, helping teams prioritize defenses. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch2>5. Defensive Engineering: Hardening Browsers, LLM Apps, and Infrastructure Against JadePuffer\u003C\u002Fh2>\n\u003Ch3>Browser and endpoint layer\u003C\u002Fh3>\n\u003Cp>Initial defenses live at the edge:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Review and restrict File System Access API usage, especially on Android Chrome. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Improve permission dialogs to clearly convey directory-level risks. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Monitor browsers\u002Fendpoints for abnormal bursts of file modification.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>⚠️ Even without binaries, large, rapid I\u002FO on photo directories from browser processes is a strong signal. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>LLM security program\u003C\u002Fh3>\n\u003Cp>Security and product teams should build a dedicated LLM security track covering:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Risk mapping across prompts, tools, and agents\u003C\u002Fli>\n\u003Cli>Guardrails and filtering on prompts and outputs\u003C\u002Fli>\n\u003Cli>Monitoring of LLM usage and tool\u002Fplugin invocations\u003C\u002Fli>\n\u003Cli>Incident runbooks specific to LLM and agent compromise \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Guidance stresses LLMs need governance beyond standard API\u002Fweb controls. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Integrating OWASP LLM Top 10 into SDLC\u003C\u002Fh3>\n\u003Cp>Make OWASP LLM Top 10 a standard checklist for any AI feature: \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>For every new agent\u002Fplugin, explicitly analyze prompt injection and exfiltration paths.\u003C\u002Fli>\n\u003Cli>For every fine-tuning pipeline, include poisoning and leakage defenses.\u003C\u002Fli>\n\u003Cli>Treat all LLM outputs consumed by code as untrusted data.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Architectural patterns for safer agents\u003C\u002Fh3>\n\u003Cp>Concrete patterns include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Strict tool\u002Fplugin whitelisting\u003C\u002Fstrong>: agents can call only vetted functions. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Output validation layers\u003C\u002Fstrong>: apply policy filters\u002Fsanity checks before execution. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero-trust internal API access\u003C\u002Fstrong>: narrow tokens per agent, not per environment. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>A financial-firm security lead reported that adding an output-validation proxy in front of their internal copilot cut risky tool invocations by ~60% in red-team tests. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Monitoring for local LLM abuse\u003C\u002Fh3>\n\u003Cp>Endpoints should be watched for:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>CPU\u002FGPU spikes consistent with local LLM inference\u003C\u002Fli>\n\u003Cli>Appearance of large model weight files on non-dev machines\u003C\u002Fli>\n\u003Cli>Agent frameworks showing autonomous, script-like behavior \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>These indicators mirror AI worm traits and can trigger deeper investigation. \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Using LLMs defensively\u003C\u002Fh3>\n\u003Cp>LLMs can also strengthen defense:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Summarizing and clustering large security log volumes\u003C\u002Fli>\n\u003Cli>Flagging suspicious agent\u002Ftool usage patterns\u003C\u002Fli>\n\u003Cli>Supporting triage and investigation via natural-language queries \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>📊 Defensive LLM deployments themselves must be protected; if compromised, they reveal monitoring gaps and internal playbooks. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Section takeaway\u003C\u002Fh3>\n\u003Cp>Mitigating JadePuffer demands browser controls, LLM-aware architecture, and telemetry tuned to local model use, all guided by OWASP LLM Top 10. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch2>6. Building JadePuffer-Inspired Red-Team Scenarios and Simulations\u003C\u002Fh2>\n\u003Ch3>Browser-only ransomware labs\u003C\u002Fh3>\n\u003Cp>Create controlled labs to mirror browser-only ransomware against synthetic photo libraries: \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Deploy a benign test app using File System Access\u003C\u002Fli>\n\u003Cli>Observe how users react to permission prompts\u003C\u002Fli>\n\u003Cli>Measure how quickly EDR\u002Fbrowser telemetry detects large file changes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This helps UX, product, and security teams understand user behavior and detection gaps. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Simulating AI worms\u003C\u002Fh3>\n\u003Cp>On isolated networks, reproduce a Toronto-style architecture: \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Local open-weight LLM in quantized form\u003C\u002Fli>\n\u003Cli>Agent loop exploring and “attacking” lab services\u003C\u002Fli>\n\u003Cli>Instrumentation for lateral movement and dwell-time metrics\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Such labs expose blind spots in detecting autonomous agents vs traditional scripted malware. \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>⚠️ Keep all experiments in controlled non-production environments, with safe, non-exploit payloads.\u003C\u002Fp>\n\u003Ch3>OWASP LLM attack patterns in exercises\u003C\u002Fh3>\n\u003Cp>Bake OWASP LLM Top 10 scenarios into:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Tabletop exercises with product and ML teams\u003C\u002Fli>\n\u003Cli>Automated red-team scripts focused on internal LLM apps\u003C\u002Fli>\n\u003Cli>Game days simulating agent misuse and data theft \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Include prompt injection, plugin abuse, and data exfiltration to test controls and escalation. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Cross-team collaboration\u003C\u002Fh3>\n\u003Cp>Effective defense requires joint effort:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Security teams define detection and response for LLM misuse. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>AI platform teams provide logs, tracing, and policy hooks.\u003C\u002Fli>\n\u003Cli>Product teams design safer agent workflows and user interfaces.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Using JadePuffer-style scenarios as a shared reference turns an abstract threat into concrete, testable exercises and drives a consistent LLM security posture.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Conclusion\u003C\u002Fh2>\n\u003Cp>JadePuffer represents a plausible “all-LLM” ransomware kill chain: browser-only file access, local LLM worms, and insecure enterprise agents chained into a single attack. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa> It operationalizes the risks captured in OWASP’s LLM Top 10 and demonstrates how much of modern malware—discovery, planning, social engineering—can be delegated to language models. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Defenders should respond by:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Treating advanced browser APIs and LLM components as first-class assets\u003C\u002Fli>\n\u003Cli>Embedding LLM-specific controls and OWASP guidance into their SDLC\u003C\u002Fli>\n\u003Cli>Monitoring for local model usage and agent-like behavior\u003C\u002Fli>\n\u003Cli>Using LLMs defensively while protecting those deployments themselves \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JadePuffer is not a prediction but a design exercise: a concrete benchmark for whether current security programs are ready for LLM-driven threats.\u003C\u002Fp>\n","1. From LLM Hallucinations to Operational Malware: Why JadePuffer Is Plausible\n\nBrowser-only ransomware was once dismissed as “LLM hallucination,” until researchers showed a fully browser-native ranso...","hallucinations",[],2272,11,"2026-07-10T16:10:32.272Z",[17,22,26,30,34,38],{"title":18,"url":19,"summary":20,"type":21},"Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique","https:\u002F\u002Fresearch.checkpoint.com\u002F2026\u002Fbrowser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique\u002F","# Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique\n\nJuly 1, 2026\n\nResearch by: Alexey Bukhteyev\n\n## Key Takeaways\n\n- AI can turn high-level malicious ideas into concret...","kb",{"title":23,"url":24,"summary":25,"type":21},"Sécurité des LLM : Risques et Mitigations Guide 2026","https:\u002F\u002Fayinedjimi-consultants.fr\u002Farticles\u002Fsecurite-llm-agents-guide-pratique","Articles Techniques \n# Sécurité des LLM : Risques et Mitigations Guide 2026\n\n 7 décembre 2025 \n\n•\n\nMis à jour le 9 juillet 2026\n\n•\n\n24 min de lecture\n\n•\n\n9068 mots\n\n•\n\n1284 vues\n\n•0 like\n\n[Télécharger...",{"title":27,"url":28,"summary":29,"type":21},"Principaux risques pour les applications LLM en entreprise","https:\u002F\u002Fwww.wiz.io\u002Ffr-fr\u002Facademy\u002Fai-security\u002Fllm-security","Les défis de la sécurité des LLM découlent de la nature même des systèmes d’IA qui traitent de vastes volumes de données provenant de sources diverses, souvent inconnues. Contrairement aux application...",{"title":31,"url":32,"summary":33,"type":21},"Cybersécurité des LLM: risques clés et mesures de protection","https:\u002F\u002Fwww.sentinelone.com\u002Ffr\u002Fcybersecurity-101\u002Fdata-and-ai\u002Flarge-language-model-llm-cybersecurity\u002F","Auteur: SentinelOne\n\nMis à jour: October 24, 2025\n\nQu'est-ce que la cybersécurité LLM?\nLa cybersécurité IA LLM désigne les pratiques de sécurité spécialisées, les contrôles et les systèmes de surveill...",{"title":35,"url":36,"summary":37,"type":21},"Qu'est-ce que la sécurité des LLM (Large Language Model)?","https:\u002F\u002Fwww.sentinelone.com\u002Ffr\u002Fcybersecurity-101\u002Fdata-and-ai\u002Fllm-security\u002F","Auteur: SentinelOne | Réviseur: Yael Macias  \nMis à jour: January 21, 2026\n\nLa sécurité des LLM nécessite des defenses spécialisées contre l'injection de prompt, l’empoisonnement des données et le vol...",{"title":39,"url":40,"summary":41,"type":21},"Le ver informatique IA de l'Université de Toronto qui choisit lui-même sa stratégie d'attaque","https:\u002F\u002Fpasqualepillitteri.it\u002Ffr\u002Fnews\u002F4188\u002Fver-informatique-ia-universite-toronto-strategie-attaque","Le ver informatique IA de l'Université de Toronto qui choisit lui-même sa stratégie d'attaque\n\nDes chercheurs de l'Université de Toronto ont construit un ver alimenté par un LLM open-weight qui a comp...",{"totalSources":43},6,{"generationDuration":45,"kbQueriesCount":43,"confidenceScore":46,"sourcesCount":43},174150,100,{"metaTitle":48,"metaDescription":49},"JadePuffer Ransomware: LLM-Driven Browser Kill Chain","How can JadePuffer turn LLMs and browser APIs into real ransomware? Explore its attack mechanics, propagation, and defenses — read for concrete findings.","en","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1581092335397-9583eb92d232?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxqYWRlcHVmZmVyJTIwZW5naW5lZXJpbmclMjBmaXJzdCUyMGZ1bGx5fGVufDF8MHx8fDE3ODM3MTU1MTl8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60",{"photographerName":53,"photographerUrl":54,"unsplashUrl":55},"ThisisEngineering","https:\u002F\u002Funsplash.com\u002F@thisisengineering?utm_source=coreprose&utm_medium=referral","https:\u002F\u002Funsplash.com\u002Fphotos\u002Fgreen-and-brown-metal-tool-lx8CooX66ms?utm_source=coreprose&utm_medium=referral",false,null,{"key":59,"name":60,"nameEn":60},"ai-engineering","AI Engineering & LLM Ops",[62,64,66],{"text":63},"JadePuffer demonstrates a plausible all-LLM ransomware kill chain combining browser-only file access, local open-weight LLM worms, and compromised enterprise agents, using already-demonstrated techniques.",{"text":65},"Research shows an open-weight LLM worm compromised 73.8% of a simulated network in 7 days and local 7B–13B models can be quantized to run on commodity hosts.",{"text":67},"A 3,000-person SaaS test found ~40% of employees granted directory-level browser access within 5 seconds when prompted as “AI auto-organization,” exposing high-risk user behavior on Android Chrome’s File System Access API.",[69,72,75],{"question":70,"answer":71},"How does JadePuffer actually gain initial access to files?","JadePuffer gains initial access through a browser-based social-engineering vector that requests directory-level permissions via Chrome’s File System Access API. The attack deploys a convincing “AI enhancement” demo to prompt users—research observed ~40% of employees granting directory access within 5 seconds in a 3,000-person test—then uses in-browser JavaScript to enumerate and read\u002Fwrite high-value files (photos, IDs, contracts) without installing an APK or exploiting the OS. Once permission is granted, the client-side agent can classify, prioritize, and either locally encrypt files or prepare them for exfiltration via compromised plugins or agent-driven APIs, making the browser the effective initial foothold.",{"question":73,"answer":74},"Can local LLMs run the worm and avoid cloud detection?","Yes. JadePuffer-style worms can run entirely locally using open-weight models (commonly 7B–13B parameters) that are quantized for commodity CPUs\u002FGPUs, mirroring the University of Toronto proof-of-concept that operated without cloud APIs and achieved rapid network compromise. By keeping inference and decision-making on-host, the malware avoids outbound LLM API telemetry and traditional cloud C2 sinks, reducing visibility to SOC tooling that monitors external AI calls; defenders must therefore add endpoint telemetry for local model inference, large model files, and unusual CPU\u002FGPU usage to detect such activity.",{"question":76,"answer":77},"What defenses reliably reduce the JadePuffer attack surface?","The most effective defenses combine browser, LLM, and endpoint controls: restrict and review File System Access API usage (especially on Android Chrome), harden LLM applications with strict tool\u002Fplugin whitelisting and output-validation proxies, and monitor endpoints for large-scale file I\u002FO and local model inference signals. Integrate OWASP LLM Top 10 checks into the SDLC—prompt injection, insecure output handling, and data poisoning reviews—deploy zero-trust tokens for internal APIs, and establish LLM-specific incident runbooks; these measures together materially lower the risk of browser-to-agent ransomware chains.",[79,87,94,100,107,113,118,123,127,132,138,143,149,153],{"id":80,"name":81,"type":82,"confidence":83,"wikipediaUrl":84,"slug":85,"mentionCount":86},"69d08f194eea09eba3dfd055","prompt injection","concept",0.99,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPrompt_injection","69d08f194eea09eba3dfd055-prompt-injection",43,{"id":88,"name":89,"type":82,"confidence":90,"wikipediaUrl":91,"slug":92,"mentionCount":93},"6a0d370a07a4fdbfcf5e7249","data exfiltration",0.98,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FData_exfiltration","6a0d370a07a4fdbfcf5e7249-data-exfiltration",10,{"id":95,"name":96,"type":82,"confidence":83,"wikipediaUrl":97,"slug":98,"mentionCount":99},"6a0bb8b01f0b27c1f4270255","AI agents","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAI_agent","6a0bb8b01f0b27c1f4270255-ai-agents",8,{"id":101,"name":102,"type":82,"confidence":103,"wikipediaUrl":104,"slug":105,"mentionCount":106},"6a51199bb15b2ddcc32b6987","LLM (large language model)",0.95,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model","6a51199bb15b2ddcc32b6987-llm-large-language-model",1,{"id":108,"name":109,"type":82,"confidence":110,"wikipediaUrl":111,"slug":112,"mentionCount":106},"6a51199bb15b2ddcc32b6988","open-weight 7B–13B model",0.9,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLlama_(language_model)","6a51199bb15b2ddcc32b6988-open-weight-7b-13b-model",{"id":114,"name":115,"type":116,"confidence":103,"wikipediaUrl":57,"slug":117,"mentionCount":106},"6a51199ab15b2ddcc32b6984","Chrome File System Access API","other","6a51199ab15b2ddcc32b6984-chrome-file-system-access-api",{"id":119,"name":120,"type":116,"confidence":121,"wikipediaUrl":57,"slug":122,"mentionCount":106},"6a51199bb15b2ddcc32b6989","WASM",0.85,"6a51199bb15b2ddcc32b6989-wasm",{"id":124,"name":125,"type":116,"confidence":110,"wikipediaUrl":57,"slug":126,"mentionCount":106},"6a51199cb15b2ddcc32b698a","plugins","6a51199cb15b2ddcc32b698a-plugins",{"id":128,"name":129,"type":116,"confidence":130,"wikipediaUrl":57,"slug":131,"mentionCount":106},"6a51199cb15b2ddcc32b698b","3,000-person SaaS company test",0.75,"6a51199cb15b2ddcc32b698b-3-000-person-saas-company-test",{"id":133,"name":134,"type":135,"confidence":103,"wikipediaUrl":57,"slug":136,"mentionCount":137},"6a50f054b15b2ddcc32b64e3","JadePuffer","product","6a50f054b15b2ddcc32b64e3-jadepuffer",2,{"id":139,"name":140,"type":135,"confidence":110,"wikipediaUrl":141,"slug":142,"mentionCount":106},"6a51199ab15b2ddcc32b6985","Android Chrome","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FGoogle_Chrome","6a51199ab15b2ddcc32b6985-android-chrome",{"id":144,"name":145,"type":146,"confidence":110,"wikipediaUrl":57,"slug":147,"mentionCount":148},"6a1f75bcbaef06deebb7bd04","OWASP Top 10 for LLM applications","scholarly_article","6a1f75bcbaef06deebb7bd04-owasp-top-10-for-llm-applications",3,{"id":150,"name":151,"type":146,"confidence":110,"wikipediaUrl":57,"slug":152,"mentionCount":137},"6a50f055b15b2ddcc32b64e6","browser-only ransomware","6a50f055b15b2ddcc32b64e6-browser-only-ransomware",{"id":154,"name":155,"type":146,"confidence":110,"wikipediaUrl":57,"slug":156,"mentionCount":106},"6a51199bb15b2ddcc32b6986","University of Toronto AI worm","6a51199bb15b2ddcc32b6986-university-of-toronto-ai-worm",[158,165,173,180],{"id":159,"title":160,"slug":161,"excerpt":162,"category":11,"featuredImage":163,"publishedAt":164},"6a50eede874509043967394c","JadePuffer: Inside the First Fully LLM‑Driven Ransomware Attack and How Langflow Agents Were Weaponized","jadepuffer-inside-the-first-fully-llm-driven-ransomware-attack-and-how-langflow-agents-were-weaponized","JadePuffer shows what happens when autonomous LLM agents, wired into real tools and data, are given ransomware objectives.\n\n- 75% of organizations were hit by ransomware in the last year; average brea...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1678957949479-b1e876bee3f1?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHw2MXx8YXJ0aWZpY2lhbCUyMGludGVsbGlnZW5jZSUyMHRlY2hub2xvZ3l8ZW58MXwwfHx8MTc4MzY5MzkyMHww&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-07-10T13:14:22.299Z",{"id":166,"title":167,"slug":168,"excerpt":169,"category":170,"featuredImage":171,"publishedAt":172},"6a507ebf5e0ed64c96f76a19","Inside GPT-5.6: How OpenAI’s New Flagship Model and Custom Silicon Will Reshape LLM Operations","inside-gpt-5-6-how-openai-s-new-flagship-model-and-custom-silicon-will-reshape-llm-operations","OpenAI is no longer “just” a model API. With the Jalapeño Intelligence Processor, it now owns a major slice of the hardware stack that runs ChatGPT, Codex, and future agentic products.[1][7] GPT-5.6 w...","safety","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1775441031089-f345c4e111bf?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxpbnNpZGUlMjBncHR8ZW58MXwwfHx8MTc4MzY2MDQ2M3ww&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-07-10T05:14:22.076Z",{"id":174,"title":175,"slug":176,"excerpt":177,"category":170,"featuredImage":178,"publishedAt":179},"6a507d975e0ed64c96f76921","GPT-5.6, Jalapeño, and the Next Generation of OpenAI-Optimized LLM Infrastructure","gpt-5-6-jalapeno-and-the-next-generation-of-openai-optimized-llm-infrastructure","OpenAI’s GPT-5.6 is not just a new model release. It arrives on a full-stack platform where OpenAI controls models, products, and now custom silicon via the Jalapeño Intelligence Processor, co-develop...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1699208105155-8b816c22289a?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxncHQlMjBqYWxhcGVubyUyMG5leHQlMjBnZW5lcmF0aW9ufGVufDF8MHx8fDE3ODM2NjAxNjd8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-07-10T05:09:26.303Z",{"id":181,"title":182,"slug":183,"excerpt":184,"category":170,"featuredImage":185,"publishedAt":186},"6a4f2c1a19d1de4035ab7607","Inside OpenAI’s GPT-5.6 Lockdown: Government-Only Rollout, Infrastructure Shifts, and What Engineers Should Build Next","inside-openai-s-gpt-5-6-lockdown-government-only-rollout-infrastructure-shifts-and-what-engineers-sh","OpenAI’s decision to gate GPT‑5.6 behind government‑approved partners is an architectural constraint for serious generative AI systems.  \n\nBetween Executive Order 14409, FedRAMP 20x, and rising AI‑dri...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1782414963066-2aab3094fd43?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxpbnNpZGUlMjBvcGVuYWklMjBncHQlMjBsb2NrZG93bnxlbnwxfDB8fHwxNzgzNTczNzU5fDA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-07-09T05:09:18.974Z",["Island",188],{"key":189,"params":190,"result":192},"ArticleBody_Sqi49jdlXVmgwjYPMtHvrw5TOJ5Xqpv4GwmEbRRLNq0",{"props":191},"{\"articleId\":\"6a51186587450904396739fc\",\"linkColor\":\"red\"}",{"head":193},{}]