Skip to main content
Emerging ThreatsMalware & Ransomware

LLM Agent Enables Rapid Post-Exploitation in Marimo Networks

Automation symbol superimposed over network equipment and cables.

On May 10, 2026, Sysdig recorded an attacker who used a large language model (LLM) agent to automate post-compromise activity after exploiting a publicly reachable Marimo instance via CVE-2026-39987.

CVE-2026-39987 exploit chain: initial access to database exfiltration

According to Sysdig, the intrusion began with a compromise of an internet-reachable Marimo notebook via CVE-2026-39987, a critical pre-authenticated remote code execution vulnerability affecting all Marimo versions prior to and including 0.20.4. The vulnerability, which allows an unauthenticated attacker to execute arbitrary system commands, was addressed in version 0.23.0 released last month.

From that foothold, the attacker "extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server," Sysdig said. The bastion phase then "exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes." The entire attack chain ran a little over an hour from first compromise to data removal.

Four signals that pointed to an LLM agent

Sysdig described four concrete indicators that an LLM agent — not a simple scripted operator — was orchestrating the post-exploitation steps. First, the attacker improvised a database dump without any prior knowledge of the schema, landing quickly on a credential table despite an opaque hostname and no pre-staged schema.

Second, a Chinese-language planning comment leaked directly into the command stream: "看还能做什么" — translated in the report as "See what else we can do." Third, every command was designed for machine consumption: commands were separated by a "---" delimiter, outputs were captured with explicit bounds, the "less" pager was disabled, and stderr was discarded to minimize noise. Fourth, the chain showed “value handoffs” where the results of one tool were fed into the next — for example, output that suggested an agent ran "cat ~/.pgpass" and then used that output in a subsequent step, or an "ls" confirming an SSH key immediately before "cat ~/.ssh/id_ed25519".

Why Sysdig says agents change the attacker model

Sysdig framed the difference between a scripted attacker and one using an agent in operational terms. "When a scripted operator builds a per-target playbook and reuses it, the bar to adding a new target is engineering time," the company concluded. "However, an agent operator carries general priors about a class of applications and composes the chain live to best fit its target. Here, the bar becomes inference budget, not playbook authorship."

Put bluntly in the report: "The attacker no longer needs to see your environment to operate inside it." An agent reads surprises — a missing file, an unexpected schema, an auth failure — and decides what to try next rather than aborting or falling back to hard-coded logic.

What this means for Marimo users, cloud administrators, and security teams

  • Marimo users and open-source maintainers: update to the latest version. The vulnerability impacts all versions through 0.20.4 and was addressed in 0.23.0 released last month, Sysdig noted.
  • Cloud administrators and credential owners: audit environments for any publicly-accessible Marimo instances and rotate credentials, API keys, and SSH keys — steps the report explicitly recommends to counter this threat.
  • Security teams and defenders: be aware of an adaptive attacker model. Sysdig's evidence suggests automated agents can discover and chain together credentials and keys quickly, shortening the window between compromise and data exfiltration.

Closing observation

The incident documented by Sysdig is notable not only for the speed of the exfiltration — a PostgreSQL schema and its full contents removed in under two minutes — but for the operational pattern an LLM agent leaves behind: machine-optimized commands, value handoffs, and human-language planning embedded in streams of shell activity. Sysdig’s final assessment captures the strategic shift succinctly: agents change the bar for attackers and defenders alike. For organizations running internet-reachable Marimo instances, the immediate steps are concrete and simple: patch to 0.23.0, hunt for exposed notebooks, and rotate credentials that may have been harvested.

Original story