Sysdig — Agentic Threat Actor Performs Container Escape and Kubernetes Credential Replay

AI relevance: This is the first documented case where an agentic threat actor (ATA) — an operator driven by an LLM harness rather than a human at a keyboard — performed a Docker container escape, host breakout via nsenter, and Kubernetes credential replay autonomously, demonstrating that agentic AI now operates at the infrastructure orchestration layer.

• On May 29, 2026, Sysdig TRT observed a threat actor exploiting a vulnerable Marimo notebook (CVE-2026-39987) and executing a fully automated kill chain through the container and orchestration plane.
• The agent enumerated the host Docker socket, probed a kernel-level privilege-escalation path through Copy Fail, and created privileged containers to break out onto the host.
• After reaching the host via nsenter, the ATA read the host shadow file and SSH keys, then replayed a stolen Kubernetes service-account token to dump the cluster's entire Secret store.
• Two independent signals confirm agentic execution: the agent parsed canary directives embedded in a JSON error response and acted on them (a human would skip embedded text), and tooling echoed back invisible escape-sequence-wrapped directives — confirming a client reading raw byte streams rather than a rendered terminal.
• The command stream shows scripted mechanical execution: payloads staged as base64 in chunks, decoded and executed, with throwaway canary payloads (hello, then hello world) used to verify the staging harness before delivering real escape scripts.
• Each probe block is delimited with explicit section markers so subsequent agent turns can parse output — a pattern now seen across multiple LLM-driven operators.
• Earlier ATA operations using the same Marimo CVE treated the compromised notebook as a credential-pivot toward AWS; this operator goes deeper into the container and K8s layer, marking a clear escalation in agentic attack sophistication.

Why it matters

Agentic threat actors are no longer limited to post-compromise credential harvesting. An LLM-driven operator can now autonomously perform container escape, host breakout, and Kubernetes credential dumping — tasks previously reserved for skilled human operators. The structural pattern of parseable section markers, canary testing, and raw-byte parsing reveals a reproducible playbook that will likely spread to other operators.

What to do

• Audit exposed notebook and development tooling services — particularly those reachable from the internet.
• Enforce least-privilege on Docker socket access and Kubernetes service-account tokens.
• Monitor for agent-signature behaviors: section-delimited probes, base64 staging patterns, and canary-payload round-trips.

Sources

• Sysdig TRT — Agentic threat actor hits the orchestration plane
• ReconBee — Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987
• Field Effect — Critical Marimo notebook flaw exploited in LLM-agent-driven intrusion
• Sysdig — CVE-2026-39987 blockchain botnet deployment via HuggingFace