al-ice.ai

Sysdig: First LLM Agent-Driven Intrusion via Marimo CVE-2026-39987

Security by al-ice.ai Editorial

AI relevance: This is the first documented case of an attacker using an LLM agent to compose post-exploitation actions in real time — replacing pre-written playbooks with adaptive, context-aware command chains.

Sysdig's Threat Research Team observed a full intrusion chain on May 10, 2026, where an LLM agent drove every post-compromise step after initial access via CVE-2026-39987, a pre-authenticated RCE in the open-source Marimo Python notebook. The entire attack — from notebook compromise to full PostgreSQL database exfiltration — ran in just over an hour.

What happened

  • The attacker connected via WebSocket to a publicly reachable Marimo instance and began credential harvesting (.env files, /etc/environment, ~/.aws/credentials, /proc/*/environ).
  • Harvested AWS access keys were used to call secretsmanager:GetSecretValue and retrieve an SSH private key from AWS Secrets Manager.
  • The attacker fanned 12 redundant AWS API calls across 11 distinct Cloudflare Workers IPs in 22 seconds — defeating per-source-IP detection on the AWS side.
  • The stolen SSH key was used to authenticate against a downstream bastion server, followed by eight parallel SSH sessions that dumped both the Postgres schema and full database contents in under two minutes.

How Sysdig identified the LLM agent

  • Improvised targeting: The attacker dumped a database with no prior knowledge of the schema — the hostname had no application identifier on disk and no pre-staged schema dump.
  • Leaked planning comment: A Chinese-language comment ("看还能做什么" — "See what else we can do") leaked directly into the command stream during credential search execution.
  • Machine-optimized command shape: Every command was designed for machine consumption — separated by --- delimiters, bounded output captures, disabled pager (less), stderr discarded.
  • Value handoffs from prior tool output: Extracted values (e.g., database passwords) were fed from one command's output into the next action — an agent consuming its own tool results.
  • Confirm-before-use pattern: Before reading an SSH key (cat ~/.ssh/id_ed25519), the agent first listed it (ls -la ~/.ssh/id_ed25519*) to verify existence — a verification step typical of agent loops, not static scripts.

Why it matters

This incident marks a qualitative shift in post-exploitation tradecraft. Sysdig's assessment: "When a scripted operator builds a per-target playbook and reuses it, the bar to adding a new target is engineering time. An agent operator carries general priors about a class of applications and composes the chain live to best fit its target. Here, the bar becomes inference budget, not playbook authorship." The defender-relevant property is adaptiveness — scripted attackers abort on unexpected schemas; agents read the surprise and keep going.

What to do

  • Inventory all exposed notebook environments — Marimo, Jupyter, and similar tools should never be internet-reachable without authentication.
  • Update Marimo to ≥0.23.0 if running any version ≤0.20.4.
  • Rotate all credentials — API keys, AWS access keys, and SSH keys on any host that ran a vulnerable instance.
  • Monitor for agent-shaped command patterns — delimiter-separated commands, bounded output, confirm-before-read, value handoffs between commands, and leaked planning comments in command logs.
  • Implement per-source-IP rate limits on AWS API calls — Cloudflare Workers egress fan-out defeats simple IP-based detection.

Sysdig TRT: AI agent at the wheel (full report)

The Hacker News: Attackers Use LLM Agent for Post-Exploitation

CVE-2026-39987 advisory