An unknown risk actor has been noticed utilizing a big language mannequin (LLM) agent to conduct post-compromise actions after acquiring preliminary entry following the exploitation of a publicly-accessible Marimo community utilizing a just lately disclosed vulnerability.
“The attacker compromised an internet-reachable Marimo pocket book through CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them by a fanned-out egress pool to retrieve an SSH personal key from AWS Secrets and techniques Supervisor, and used that key to drive eight brief SSH classes towards a downstream SSH bastion server,” Sysdig stated.
“The bastion section exfiltrated the schema and full contents of an inner PostgreSQL database in beneath two minutes.”
CVE-2026-39987 refers to a crucial pre-authenticated distant code execution vulnerability impacting all variations of Marimo previous to and together with 0.20.4. It permits an unauthenticated attacker to execute arbitrary system instructions. The problem was addressed in model 0.23.0, launched final month.
The safety defect has since come beneath energetic exploitation, with risk actors utilizing it to provoke handbook reconnaissance towards honeypot methods and try to reap delicate information.
The most recent exercise documented by Sysdig sticks to the identical sample, the first distinction being that an LLM agent was used to drive the post-exploitation exercise. The incident, per the cloud safety agency, was recorded on Could 10, 2026, with the attacker gathering credentials from the surroundings after which utilizing the harvested AWS entry key to carry out API calls towards AWS Secrets and techniques Supervisor and retrieve an SSH personal key.
Minutes later, the risk actor is alleged to have carried out the primary SSH authentication on the SSH bastion server utilizing the retrieved key, adopted by launching eight parallel SSH classes towards the downstream server to siphon an inner PostgreSQL database. The tip-to-end assault chain lasted somewhat over an hour.
Sysdig stated it uncovered 4 indicators that an LLM agent was behind the exercise. First, the attacker improvised a database dump with none prior data of the schema. Second, a Chinese language-language planning remark, “看还能做什么” translating to “See what else we are able to do” leaked instantly within the command stream when executing a credential search.
“The database hostname was opaque, with no software identifier on disk and no schema dump pre-staged, but the chain nonetheless landed on a credential desk inside minutes,” Sysdig stated. “The attacker not must see your surroundings to function inside it.”
The third signal is that each command is designed for machine consumption, with every command separated by a “—” delimiter, together with bounded output captures, disabling the “much less” command, and discarding the error stream (stderr) to attenuate noise.
Lastly, the worth handoffs are obtained from prior instrument output. In different phrases, the way by which sure values, say, database passwords, had been extracted implies an AI agent feeding its personal earlier output — working a cat command of the “~/.pgpass” file — into the following motion.
In one other occasion, a cat command to print the contents of a particular file (“cat ~/.ssh/id_ed25519”) is preceded by an ls (“checklist”) command that passes the identical file sample as enter (“ls -la ~/.ssh/id_ed25519*”) to substantiate that the SSH Key exists.
“When a scripted operator builds a per-target playbook and reuses it, the bar to including a brand new goal is engineering time,” Sysdig concluded. “Nonetheless, an agent operator carries normal priors a couple of class of purposes and composes the chain stay to greatest match its goal. Right here, the bar turns into inference price range, not playbook authorship.”
“The defender-relevant property of an agent-in-the-loop is adaptiveness. A scripted attacker hits a lacking file, an sudden schema, or an authentication failure and both aborts or falls by to a hard-coded fallback. An agent reads the shock, decides what to strive subsequent, and retains going.”
To counter this risk, it is advisable that customers replace to the newest model of Marimo, audit environments for any publicly-accessible situations, and rotate credentials, API keys, and SSH keys.
