LLM Agent Used in Post-Exploitation After Marimo CVE-2026-39987 Exploit

Sysdig researchers have documented a sophisticated cyberattack where threat actors deployed a large language model (LLM) agent to automate post-exploitation activities following the exploitation of CVE-2026-39987, a critical pre-authenticated remote code execution vulnerability in Marimo notebook software. The incident, recorded on May 10, 2026, began when attackers compromised an internet-reachable Marimo server running version 0.20.4 or earlier. After gaining initial access, the attacker extracted two cloud credentials from the compromised host and leveraged them to retrieve an SSH private key from AWS Secrets Manager via API calls. This key was then used to establish eight parallel SSH sessions against a downstream SSH bastion server, ultimately exfiltrating the complete schema and contents of an internal PostgreSQL database in under two minutes. The entire attack chain lasted approximately one hour.

The critical vulnerability, CVE-2026-39987, affects all Marimo versions up to and including 0.20.4 and was addressed in version 0.23.0 released last month. The flaw allows unauthenticated remote attackers to execute arbitrary system commands without any prior credentials. Since disclosure, the vulnerability has seen active exploitation in the wild, with threat actors conducting manual reconnaissance against honeypot systems and attempting to harvest sensitive data. Organizations using Marimo for interactive computing should immediately verify they are running version 0.23.0 or later and audit their environments for signs of compromise.

Sysdig identified four distinct indicators that an LLM agent was orchestrating the post-exploitation phase. First, the attacker improvised a database dump without prior knowledge of the schema, yet successfully located a credential table within minutes despite opaque hostnames and no pre-staged reconnaissance. Second, a Chinese-language planning comment "看还能做什么" (meaning "See what else we can do") was inadvertently leaked directly into the command stream during credential searches. Third, all commands were formatted for machine consumption with "---" delimiters separating instructions, bounded output captures, disabled "less" paging, and stderr redirection to minimize noise. Fourth, value handoffs systematically referenced prior tool outputs, indicating automated chaining of discrete operations. If your organization stores credentials in cloud environments, consider using our email breach checker to determine if any credentials may have been exposed in previous data leaks.

This attack underscores the evolving threat landscape where adversaries increasingly leverage AI capabilities to accelerate and automate complex attack sequences. Organizations should implement robust credential management practices, regularly audit cloud API usage patterns for anomalies, and enforce strict network segmentation between development environments and production systems. Use our password checker to evaluate the strength of credentials used in sensitive systems, and consider deploying our port scanner to identify exposed services that could serve as initial access vectors for similar campaigns.