After exploiting the publicly accessible Marimo network using recently disclosed vulnerabilities and gaining initial access, unknown attackers have been observed using large-scale language model (LLM) agents to perform post-compromise actions.
“The attacker compromised a Marimo notebook with internet access via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out output pool to obtain an SSH private key from AWS Secrets Manager, and used that key to perform eight short SSH sessions to a downstream SSH bastion server,” Sysdig said.
“During the springboard phase, the schema and complete contents of an internal PostgreSQL database were exposed within two minutes.”
CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability affecting all versions of Marimo prior to 0.20.4. Allows an unauthenticated attacker to execute arbitrary system commands. This issue was resolved in version 0.23.0 released last month.
This security flaw has since been actively exploited by attackers to initiate manual reconnaissance against honeypot systems in an attempt to collect sensitive data.
The latest activity documented by Sysdig sticks to the same pattern, with the main difference being that an LLM agent was used to drive post-exploitation activity. According to the cloud security company, the incident was recorded on May 10, 2026, and the attacker collected credentials from the environment and used the collected AWS access keys to make API calls to AWS Secrets Manager to obtain SSH private keys.
Several minutes later, the attacker allegedly used the obtained key to perform an initial SSH authentication on the SSH bastion server, then started eight parallel SSH sessions to downstream servers to siphon the internal PostgreSQL database. The end-to-end attack chain lasted just over an hour.
Sysdig said it found four indicators that LLM agents were behind the activity. First, the attacker created an improvised database dump without prior knowledge of the schema. Second, when performing a credential lookup, a Chinese planning comment, “visual ability 什么”, which means “let’s see what else we can do,” was leaked directly into the command stream.
“Even though the database hostname was opaque, there was no application identifier on disk, and no schema dump was prepared in advance, the chain still reached the credentials table within minutes,” Sysdig said. “An attacker no longer needs to see the environment to operate within it.”
The third sign is that all commands are designed for machine consumption. Each command is separated by a “—” delimiter, and with limited output capture, “less” commands are disabled and the error stream (stderr) is discarded to minimize noise.
Finally, the value handoff is obtained from the output of the previous tool. In other words, the way a particular value, such as a database password, is extracted means that the AI agent is feeding its previous output (running the cat command on the “~/.pgpass” file) to its next action.
Another example is a cat command that prints the contents of a particular file (‘cat ~/.ssh/id_ed25519’), followed by an ls (‘list’) command that passes the same file pattern as input (‘ls -la ~/.ssh/id_ed25519*’) and checks that the SSH key exists.
“When a scripted operator builds a per-target playbook and reuses it, engineering time is the barrier to adding new targets,” Sysdig concludes. “However, the agent operator maintains general prior knowledge about the class of applications and configures the live chain to best fit its target. The criterion here is the inference budget, not the playbook author.”
“A relevant characteristic of agent-in-the-loop defenders is adaptability. When a scripted attacker encounters a missing file, an unexpected schema, or an authentication failure, it either suspends or falls into a hard-coded fallback. The agent reads the surprise, decides what to try next, and continues.”
To combat this threat, we recommend that users update to the latest version of Marimo, audit their environments on publicly accessible instances, and rotate their credentials, API keys, and SSH keys.
Source link
