SingGuard-NSFA: Ant Group Open-Sources a Guardrail to Stop Malicious AI Agent Commands After the JadePuffer Attack
Merely twelve days after the first fully automated data-encryption attack came to light, Ant Group has unveiled a free tool designed to halt dangerous artificial intelligence commands before they execute.
Developed by Ant Group’s AI security laboratory, the SingGuard-NSFA system inspects the requests and responses of autonomous agents before they reach external tools. It hunts for signs of hidden instructions, credential theft, malicious code execution, resource abuse, and privilege overreach. The source code and ready-made models are published on GitHub and Hugging Face, and organizations can deploy the protection on their own infrastructure.
The JadePuffer Incident That Prompted the Release
The launch of SingGuard-NSFA follows closely on the heels of published research into the JadePuffer operation. In July, Sysdig documented the first known case in which a language model independently conducted a multi-stage attack, from initial intrusion all the way to data destruction.
JadePuffer slipped onto an unpatched Langflow server through the critical vulnerability CVE-2025-3248 (10.0 Critical). From there, the system harvested access keys for cloud platforms and AI services. Next, it pivoted to a separate MySQL server running the Nacos configuration system and bypassed authentication through a vulnerability dating back to 2021.
Thirty-One Seconds to Adapt
The automated agent then obtained database administrator rights, encrypted 1,342 records containing service configurations, deleted the original tables, and left a ransom demand in Bitcoin. At one stage, the model independently diagnosed a login error and found a working way to continue the attack in just 31 seconds.
Paying the ransom would have recovered nothing. The encryption key was generated from random values, written once to the agent’s internal log, and never stored anywhere. In effect, JadePuffer destroyed the information outright, and the money demand merely mimicked a conventional ransomware attack.
How SingGuard-NSFA Works
SingGuard-NSFA aims to stop precisely this scenario at the moment an agent is about to execute a command. According to Ant Group, the system covers 185 threat scenarios across seven categories. To validate it, the developers assembled roughly 100,000 examples spanning 133 languages.
The company has released four model versions ranging from 0.8 billion to 9 billion parameters. The largest, Ant Group claims, renders a verdict in about 50 milliseconds. Therefore, it can screen every call an agent makes to an external tool without perceptible delay. Independent organizations, however, have yet to confirm these figures.
A Different Philosophy From Microsoft’s Toolkit
Ant Group’s approach diverges from the Agent Governance Toolkit that Microsoft open-sourced in spring 2026. Microsoft’s solution compares an agent’s actions against predefined rules. By contrast, SingGuard-NSFA evaluates the substance of requests and attempts to recognize malicious intent. The former forbids known dangerous actions; the latter is meant to catch novel manipulation techniques for which no rules yet exist.
Caveats: Audits, Supply Chains, and Basic Hygiene
Developers can run SingGuard-NSFA locally, so no data needs to flow back to Ant Group. Nevertheless, no third-party audit of the source code has been published so far. Consequently, organizations in finance, healthcare, defense, and government will need to review the code themselves and weigh the supply chain risks.
The new defense also does not replace conventional security measures. JadePuffer broke in through a vulnerability patched more than a year earlier, then exploited an old Nacos flaw and default MinIO credentials. Servers must be updated, passwords rotated, and network access restricted these remain the first line of defense. SingGuard-NSFA simply adds one more barrier at the point where an autonomous agent stands ready to turn a malicious command into a real action.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.