How the Attack Chain Worked
A new breed of cyberattack has been documented, where a threat actor leveraged a large language model (LLM) agent to execute a complete post-exploitation chain in under one hour. The intrusion began on May 10, 2026, through an exposed marimo notebook server that was vulnerable to a remote code execution flaw requiring just a single WebSocket request. Once inside, the LLM agent dynamically harvested cloud credentials from environment files and AWS credential stores.
Using those credentials, the agent retrieved an SSH private key from AWS Secrets Manager. It then launched eight parallel SSH sessions against a downstream bastion server. From there, the attacker exfiltrated an entire internal PostgreSQL database. Researchers from the Sysdig Threat Research Team captured the intrusion and described it as the first AI agent driven intrusion they have ever recorded.
Impact and Scope
The attack demonstrated a highly adaptive approach, with the LLM agent composing commands in real time and improvising a database dump without prior schema knowledge. It enumerated tables and immediately targeted a credential table that did not exist in the application the schema resembled, indicating reasoning from general knowledge rather than pre-staged intelligence. Traffic was fanned across eleven distinct Cloudflare Workers IP addresses in just 22 seconds, with eight SSH sessions coming from six separate IPs simultaneously, breaking traditional IP based alerting.
An internal monologue comment in Chinese, translating to “See what else we can do”, appeared in the command stream dispatched across multiple IPs at sub-second pace. Sysdig noted that attackers are not replacing themselves with AI, but rather replacing their scripts with AI. This attack highlights the need for defenders to rethink intrusion detection strategies that rely on per source IP correlation and static attack patterns.
Source: Cyber Security News
