Summaries

LLM Agent in Real Attack Chain — Marimo CVE Exploitation With AI-Driven Post-Exploitation

Sysdig documents the first observed use of an LLM agent for post-exploitation after CVE-2026-39987 compromise of a Marimo notebook, extracting credentials and exfiltrating a PostgreSQL database in under two hours.

View on Graph

Summary

Sysdig documented a May 10, 2026 incident where an unknown threat actor used a large language model (LLM) agent to drive post-exploitation activity after compromising an internet-reachable Marimo notebook via CVE-2026-39987. The attack chain demonstrates a significant evolution in automated intrusion tradecraft.

The end-to-end chain was: compromise Marimo notebook via CVE-2026-39987 → extract two cloud credentials → replay through a fanned-out egress pool → retrieve SSH private key from AWS Secrets Manager → use key for eight parallel SSH sessions against a downstream SSH bastion → exfiltrate schema and full contents of an internal PostgreSQL database in under two minutes. Total time: just over one hour.

Sysdig identified four indicators that an LLM agent — not a human operator — drove the activity. First, the attacker improvised a database dump without prior knowledge of the schema, suggesting the agent explored and adapted in real time. Second, a Chinese-language planning comment, “看还能做什么” (“See what else we can do”), leaked directly in the command stream during a credential search. Third, every command was designed for machine consumption: --- delimiters separating commands, bounded output captures, less disabled, and stderr discarded to minimize noise. Fourth, value handoffs were obtained from prior tool output — the agent fed its own previous output (like cat ~/.pgpass) into the next action.

The key operational difference from a scripted attacker: adaptiveness. A scripted operator hitting a missing file or unexpected schema either aborts or falls to a hardcoded fallback. An LLM agent reads the surprise, decides what to try next, and keeps going.

Why It Matters

This incident represents a threshold event in intrusion tradecraft. While automated exploitation is not new, the use of an LLM agent to compose a live, adaptive post-exploitation chain on-the-fly fundamentally changes the defender’s calculus. The attacker’s bottleneck shifts from playbook authorship — writing and maintaining per-target automation — to inference budget. For defenders, this means that detection logic based on rigid command signatures becomes less reliable. Behavioral baselines, anomaly detection, and credential access pattern analysis become more critical as attackers leverage LLMs to compose novel chains in real time.

Defender Takeaways

  • Patch publicly accessible Marimo instances to version 0.23.0 or later — CVE-2026-39987 is being actively exploited.
  • Audit cloud credential usage and rotate any keys that could be recovered from compromised notebook environments.
  • Monitor for machine-optimized command patterns: bounded output captures, delimiter-separated commands, stderr suppression.
  • Implement AWS Secrets Manager access monitoring — anomalous credential retrieval patterns may indicate agent-driven exfiltration.
  • Harden SSH bastion access with key rotation, session recording, and source-IP restrictions.
  • Treat agent-driven intrusions as a distinct detection category — behavior-based analytics become essential.

Source

Title: Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit — The Hacker News/Sysdig
URL: https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html