- A threat actor used an LLM agent to automate post-exploitation actions after breaching a public-facing Marimo notebook via the critical CVE-2026-39987 vulnerability.
- The automated agent retrieved cloud credentials, secured an SSH key from AWS Secrets Manager, and exfiltrated an entire PostgreSQL database from a bastion server in under two minutes.
- Analysis by Sysdig revealed the agent’s adaptiveness, with command structures and a leaked Chinese-language planning comment indicating AI-driven, live decision-making.
- The attack, recorded on May 10, 2026, was contained from initial access to data theft in just over an hour, highlighting the speed of AI-powered threats.
- Security recommendations include updating Marimo to version 0.23.0 or later, auditing for public instances, and rotating all compromised credentials and keys.
An unknown threat actor has leveraged a large language model agent to conduct a swift, automated cyberattack, Sysdig reported after observing the incident on May 10, 2026. The attack began with the exploitation of a publicly accessible Marimo notebook using the critical CVE-2026-39987 vulnerability to gain initial access.
Consequently, the attacker extracted cloud credentials from the compromised host. These credentials were then used to retrieve an SSH private key from AWS Secrets Manager.
Minutes later, the threat actor authenticated against a downstream SSH bastion server. Eight parallel SSH sessions were then launched to siphon the schema and full contents of an internal PostgreSQL database in under two minutes.
The entire attack chain, from initial compromise to data exfiltration, lasted a little over an hour. This activity follows a pattern of active exploitation targeting the Marimo vulnerability since its disclosure.
However, this incident is distinct due to the use of an LLM agent for post-compromise actions. Sysdig identified four key indicators pointing to AI-driven automation.
First, the agent improvised a database dump without any prior knowledge of the target schema. Second, a Chinese-language planning comment, “看还能做什么” or “See what else we can do,” leaked into the command stream.
Third, every command was structured for machine consumption, using delimiters and bounded output captures. Finally, the agent demonstrated adaptiveness by feeding its own previous output as input for subsequent actions.
Sysdig concluded that “the defender-relevant property of an agent-in-the-loop is adaptiveness.” Meanwhile, the security firm recommends users update to Marimo version 0.23.0 or later to patch the flaw.
Additional defensive measures include auditing environments for any publicly accessible instances. Organizations must also immediately rotate all credentials, API keys, and SSH keys that may have been exposed.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
