Attack Chain and Exploitation
In a concerning development, threat actors are now using large language model (LLM) agents to automate post exploitation actions after breaching systems. Security researchers at Sysdig observed an attacker compromise a publicly accessible Marimo notebook by exploiting a critical remote code execution vulnerability, identified as CVE-2026-39987, which affects Marimo versions up to 0.20.4. This flaw allows unauthenticated attackers to run arbitrary system commands, and it was patched in version 0.23.0 released last month.
LLM Driven Post Exploitation Activity
After gaining initial access on May 10, 2026, the attacker employed an LLM agent to drive the post compromise phase. The agent extracted two cloud credentials from the compromised host, replayed them through a fanned out egress pool to retrieve an SSH private key from AWS Secrets Manager, and then used that key to launch eight simultaneous SSH sessions against a downstream SSH bastion server. The entire chain from exploitation to data exfiltration took just over an hour, and the final phase siphoned the schema and full contents of an internal PostgreSQL database in under two minutes.
Implications for Defense
Sysdig identified four distinct indicators that an LLM agent orchestrated the attack, including the improvised nature of the database dump. This incident underscores a new frontier in automated cyberattacks, where LLMs can rapidly coordinate multi step credential harvesting and data theft. Organizations using Marimo notebooks should apply the recent patch immediately, and defenders must prepare for adversarial use of AI in post exploitation scenarios.
Source: The Hacker News
