Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 02, 2026 · 7 min read

Sysdig: First In-Wild LLM Agent Attack via Marimo CVE

Sysdig's Threat Research Team published the case on May 30, 2026. On May 10, an attacker pointed an LLM agent at an exposed Marimo notebook server, chained CVE-2026-39987 into AWS Secrets Manager and a downstream bastion, and exfiltrated an internal PostgreSQL database. The agent operated autonomously, ran 12 calls across 11 IPs in 22 seconds, and finished the dump in two minutes.

Most "AI attack" stories are about LLMs writing phishing copy or generating malware variants. Sysdig's Threat Research Team just published one that is genuinely different. On May 10, 2026, the firm captured an intrusion in which a large language model was not assisting the operator; it was the operator. The attacker exploited CVE-2026-39987 in an exposed Marimo Python notebook server, then handed the resulting shell to an LLM agent that improvised its way through four pivots, dumped an internal PostgreSQL database in under two minutes, and finished the entire chain in under an hour. Sysdig publicly framed the case on May 30 as "the first AI agent driven intrusion in the wild" they have recorded. Behavioral signatures from the incident do not look like anything traditional EDR is tuned to catch.

Key Takeaways

  • Sysdig's Threat Research Team disclosed on May 30, 2026 the first documented in the wild intrusion driven by an autonomous LLM agent rather than a human operator with AI assistance.
  • The agent's initial access was CVE-2026-39987, a pre authentication remote code execution bug in Marimo's /terminal/ws WebSocket endpoint that hands out a PTY shell on request.
  • Exploitation began nine hours and 41 minutes after public disclosure of the Marimo bug, faster than most human N day weaponization workflows.
  • The LLM agent extracted two cloud credentials from environment files, distributed 12 API calls across 11 IP addresses in 22 seconds to evade per source rate limiting, pulled an SSH private key out of AWS Secrets Manager, opened eight parallel SSH sessions to a bastion, and dumped a full PostgreSQL database in under two minutes.
  • The agent left a Chinese language comment in the command stream ("see what else we can do") and operated from IP 157.66.54.26 in AS141892 (Indonesia). No nation state attribution has been published.
A photograph of a dimly lit office workstation with a monitor showing a generic terminal interface in soft focus, indigo desk lamp casting blue light, professional natural composition

What Is CVE-2026-39987?

CVE-2026-39987 is a critical pre authentication remote code execution vulnerability in Marimo, an open source Python reactive notebook platform popular with data science and ML teams. The bug lives in the /terminal/ws WebSocket endpoint, which is supposed to be guarded by an authentication layer but does not actually validate the requesting session. A single unauthenticated WebSocket connection to that endpoint returns a full PTY shell on the server host. From the attacker's perspective, the exploit is a one liner: open a WebSocket, send a payload, get a root or near root shell.

Marimo shipped the fix in version 0.23.0. Anything older is exploitable as long as the notebook server is reachable from the attacker. Like Jupyter notebooks before it, Marimo is frequently deployed without TLS or authentication in cloud accounts during prototyping work, and those prototypes routinely get forgotten on the internet. The exposed install Sysdig observed was almost certainly one of those forgotten prototypes.

How Did the LLM Agent Behave Differently From a Human?

Three characteristics in Sysdig's writeup distinguish this from a human operator running with AI assistance:

  • Machine parsable command output. Every command the agent issued used "structured separators, bounded output caps, and discarded error streams." A human keyboard typically generates ad hoc whitespace and ignores error output; the agent treated each invocation as a function call returning JSON like blocks it could process programmatically.
  • Real time schema improvisation. The PostgreSQL database the agent dumped was one it had no prior knowledge of. It enumerated table schemas, identified a credentials table, and tailored the dump query to the exact column set, all without pre canned tooling.
  • Rate limit evasion through IP rotation. The agent distributed 12 API calls across 11 IPs in 22 seconds, presumably from an attacker controlled proxy pool. A human running each command would not have introduced that level of dispersion on so short a timescale.

Sysdig did not publicly name the LLM family the operator used. Two practical candidates are the open weight models the operator could run from infrastructure they control, and the publicly hosted commercial APIs. The article does not disclose which.

What Was the Attack Chain?

Four pivots, total elapsed time under one hour:

  1. Initial access. Exploit CVE-2026-39987 against the exposed Marimo notebook server, get a PTY shell.
  2. Credential harvest. Read .env files and AWS credential store on the host. Two cloud credentials recovered.
  3. AWS Secrets Manager pivot. Use one of the harvested credentials to call AWS Secrets Manager. Retrieve an SSH private key that the host was authorized to read.
  4. SSH to internal bastion. Open eight parallel SSH sessions to a downstream bastion host using the lifted key. Authenticate successfully.
  5. Database dump. Enumerate the PostgreSQL database reachable from the bastion, identify a credentials table, and exfiltrate the full database in under two minutes.

From the defender's vantage, every step in this chain is a well known sub technique in MITRE ATT&CK. What is new is that no human paused between steps. The agent ran the entire chain at machine speed without waiting for a human to read output, draft a follow up command, or copy paste credentials. The compression of the window between initial access and complete data theft is what makes this incident operationally novel.

Why Does Speed Break Most Defenses?

Most incident response programs assume a human attacker spending hours or days inside an environment, with corresponding minutes to hours of analyst time available to respond. Even fast ransomware crews tend to take overnight at minimum from initial access to encryption. A two minute database exfiltration breaks that model in three places.

First, on call paging windows are usually longer than the window the agent gives the defender. Second, manual SOC triage of an alert routinely takes 15 to 30 minutes; the agent finishes before the alert is even read. Third, conventional rate limiting on cloud API calls is tuned to humans; agents that distribute calls across 11 IPs in 22 seconds slip under the radar. The defense industry's response to this class of incident is going to have to be automated containment, not analyst response.

Sysdig's own framing in the writeup is direct: "autonomous AI driven attacks require autonomous AI driven detection." Signature based defenses keyed to historical TTPs are insufficient when the agent generates its TTPs in real time against the specific target.

What Should Defenders Do Right Now?

Short term moves:

  • Patch Marimo to 0.23.0 or later anywhere it is deployed. Inventory exposed notebook servers (Marimo, Jupyter, Hex, others) and pull them off the public internet wherever possible.
  • Audit AWS Secrets Manager access policies. The agent in this case escalated by reading an SSH key from Secrets Manager that the compromised host should not have been able to read. Tight per role policies block the most common pivot path.
  • Set up automated SOAR responses for high signal alerts. When the agent moves at two minute speed, human review cannot be in the critical path. Specific patterns to automate on: secrets manager reads from new role contexts, large outbound database queries from infrastructure that does not normally produce them, parallel SSH sessions from the same source.
  • Log and analyze command output formats. Sysdig flagged the structured separators and bounded output caps as a signature. Detection systems can learn that signature even when individual commands vary.

For broader context on how AI is reshaping the threat landscape, see the GreyVibe campaign using ChatGPT to phish Ukraine for nine months and the ChatGPhish prompt injection technique disclosed May 29, 2026. Those are AI augmented attacks. Sysdig's case is AI primary, and it is the one to plan for next.

What Happens Next?

Two near term outcomes. Open weight model offerings (Llama family, Qwen family, DeepSeek family) make it cheap for an operator to run an agent loop without paying a commercial API per token. Expect the tooling to spread, especially among groups that already have proxy pools and cloud account access. Commercial APIs will tighten policy on agentic loop abuse, but jailbreaks for the specific task class (run shell commands and process output) are not difficult.

Longer term, the LLM agent as primary operator turns reachability into the dominant risk factor. If your service is on the internet and exploitable, the time between disclosure and compromise drops from days to hours, and the time between compromise and data theft drops from hours to minutes. The economic model of "patch when convenient because attackers will not weaponize for a week" is no longer load bearing.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.