Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

A previously unidentified threat actor has been documented utilizing a large language model (LLM) agent to execute post-compromise actions after gaining initial access via the exploitation of a publicly accessible Marimo network, specifically exploiting a recently disclosed vulnerability.

According to Sysdig, "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to initiate eight brief SSH sessions against a downstream SSH bastion server."

During this bastion phase, the attacker successfully exfiltrated the schema and complete contents of an internal PostgreSQL database in under two minutes.

CVE-2026-39987 identifies a critical pre-authenticated remote code execution vulnerability that affects all versions of Marimo prior to and including 0.20.4. This vulnerability allows an unauthenticated attacker to execute arbitrary system commands. The issue was resolved in version 0.23.0, which was released last month.

The security flaw has since been actively exploited, with threat actors employing it to carry out manual reconnaissance against honeypot systems while attempting to steal sensitive data.

The recent activities noted by Sysdig follow a familiar pattern, with the significant difference being the utilization of an LLM agent for the post-exploitation tasks. The incident was recorded on May 10, 2026, where the attacker first gathered credentials from the environment and subsequently employed the harvested AWS access key to make API calls against AWS Secrets Manager to retrieve an SSH private key.

Shortly after, the threat actor conducted the initial SSH authentication on the SSH bastion server using the obtained key, and launched eight simultaneous SSH sessions targeting the downstream server to extract an internal PostgreSQL database. The entire attack chain unfolded over the course of just over an hour.

Sysdig identified four indicators that signified the involvement of an LLM agent in these actions. First, the attacker performed a database dump without any prior schema knowledge. Second, a comment in Chinese, "看还能做什么," translating to "See what else we can do," was inadvertently leaked within the command stream during the credential search execution.

"The database hostname lacked clarity, with no application identifier present on disk and no pre-staged schema dump, yet the attack chain quickly identified a credential table," Sysdig reported. "The attacker no longer requires visibility into the environment to operate effectively within it."

The third notable sign is that each command was structured for machine consumption, separated by a "---" delimiter, and included bounded output captures while disabling the "less" command and discarding the error stream (stderr) to minimize irrelevant output.

Lastly, the extraction of value handoffs stemmed from previous tool outputs. For instance, the manner in which specific values like database passwords were obtained suggests an AI agent feeding its earlier output into subsequent actions, such as running a cat command on the "~/.pgpass" file.

Another example includes a cat command designated to display the contents of a particular file ("cat ~/.ssh/id_ed25519"), which was preceded by an ls ("list") command that utilized the same file pattern ("ls -la ~/.ssh/id_ed25519*") to verify the existence of the SSH key.

Sysdig concluded, "When a scripted operator constructs a per-target playbook and reuses it, the threshold for adding a new target is determined by engineering time. In contrast, an agent operator possesses inherent knowledge about a class of applications and dynamically composes the chain to best suit its target. In this scenario, the measure shifts to inference budget rather than playbook creation."

"The critical adaptive property of an agent-in-the-loop lies in its ability to adjust. A scripted attacker, upon encountering a missing file, an unforeseen schema, or an authentication failure, will either abort or resort to a hard-coded fallback. Conversely, an agent interprets the unexpected, makes decisions on subsequent actions, and continues its operation."

To mitigate this risk, it is advised that users upgrade to the latest version of Marimo, conduct audits of environments for any publicly accessible instances, and rotate credentials, API keys, and SSH keys.