113 seconds
Time for the LLM agent to enumerate the PostgreSQL schema and exfiltrate six full database tables after gaining SSH bastion access
68 minutes
Total attack duration from initial CVE-2026-39987 exploit on marimo /terminal/ws to completed internal database dump
11 distinct IPs
Cloudflare Workers egress IPs used to distribute AWS Secrets Manager API calls and SSH sessions, defeating threshold-based IP alerting
4 pivots
Attack chain stages: CVE exploit to cloud credential harvest to AWS Secrets Manager to SSH bastion to full database exfiltration

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

An autonomous LLM agent drained the full contents of an internal PostgreSQL database in 113 seconds after exploiting CVE-2026-39987, a critical pre-authenticated remote code execution flaw in the marimo Python notebook platform, Sysdig's threat research team captured the first confirmed in-the-wild intrusion where an AI agent autonomously composed and executed a four-pivot kill chain without human direction at each step, reported May 29, 2026.

The LLM agent post-exploitation attack began on May 10, 2026, when an attacker exploited CVE-2026-39987 to gain initial access to an internet-reachable marimo instance via its /terminal/ws WebSocket endpoint. The agent extracted cloud credentials from environment files on the compromised host, replayed those credentials through Cloudflare Workers egress IPs to retrieve an SSH private key from AWS Secrets Manager, and opened eight parallel SSH sessions against a downstream bastion host. The agent exfiltrated the schema and full contents of six database tables, api_key, credential, user, variable, flow, and message, in under two minutes.

What separates this incident from conventional post-exploitation is not the vulnerability or the tools. The LLM agent adapted its actions in real time based on what it discovered at each stage. When it found an opaque database hostname with no schema pre-staged on disk, it enumerated pg_tables and located a credential table it could not have known existed. No pre-built playbook scripted this discovery. The agent reasoned its way to the highest-value target. Defenders watching the same logs had no prior signature to alert on: the machine-optimized commands were formatted to blend with legitimate administrative traffic, and the attack's distributed egress pool prevented IP-based detection from firing at any point in the chain.

How Does an LLM Agent Post-Exploitation Attack Work?

An LLM agent post-exploitation attack is an intrusion where an artificial intelligence agent conducts the post-compromise phase autonomously, issuing commands and adapting based on real-time output rather than executing a fixed script.

CVE-2026-39987 is a critical pre-authenticated remote code execution vulnerability in marimo, an open-source Python reactive notebook platform used in data science, machine learning, and analytics workflows. The vulnerability resides in the /terminal/ws WebSocket endpoint, which marimo exposes for interactive terminal access inside the notebook environment. In versions 0.20.4 and earlier, this endpoint accepts connections without authentication, allowing any remote attacker to send arbitrary shell commands to the underlying server. The fixed version is marimo 0.23.0. CISA added CVE-2026-39987 to its Known Exploited Vulnerabilities catalog following confirmed active exploitation.

The four-pivot chain documented by Sysdig ran as follows:

Phase 1, Initial RCE (18:23:44 UTC). The attacker connected to /terminal/ws from IP 157.66.54.26 (AS141892, Indonesia) and executed the first interactive commands within one second. The machine-optimized formatting of those commands, echo delimiters, bounded output captures, pager-disabled flags, was apparent from the first request.

Phase 2, Credential harvest (18:24:14 UTC). The LLM agent enumerated /app/.env files, /etc/environment, /proc/*/environ, and ~/.aws/credentials. It extracted two sets of cloud credentials and a PostgreSQL password from ~/.pgpass.

Phase 3, AWS Secrets Manager pivot (19:26:31 UTC). Forty-eight minutes after initial compromise, the agent replayed the harvested AWS credentials across 11 distinct Cloudflare Workers egress IPs, issuing 12 secretsmanager:GetSecretValue API calls in 22 seconds to retrieve an ed25519 SSH private key.

Phase 4, SSH bastion and database exfiltration (19:30:30 to 19:32:23 UTC). Using the retrieved SSH key, the agent opened eight parallel SSH sessions from six Cloudflare Workers IPs, enumerated the PostgreSQL schema via pg_tables, and dumped all six tables in 113 seconds.

1

RCE via CVE-2026-39987 on marimo /terminal/ws

Unauthenticated WebSocket connection to internet-reachable marimo instance. First commands execute within one second. Machine-optimized formatting visible from the first request.

2

Credential harvest from environment files

LLM agent systematically enumerates /app/.env*, /etc/environment, /proc/*/environ, ~/.aws/credentials, and ~/.pgpass. Two cloud credential sets and PostgreSQL password extracted.

3

AWS Secrets Manager pivot for SSH key retrieval

Harvested AWS credentials replayed across 11 Cloudflare Workers IPs. Twelve redundant secretsmanager:GetSecretValue calls in 22 seconds retrieve an ed25519 SSH private key stored in Secrets Manager.

4

SSH bastion access and PostgreSQL database dump

Eight parallel SSH sessions from six Cloudflare Workers IPs reach the downstream bastion. Agent enumerates pg_tables, identifies credential and user tables, dumps six tables in 113 seconds.

The Attack in Real Time: 68 Minutes From CVE Exploit to Full Database Dump

The complete timeline from initial WebSocket connection to finished database exfiltration ran 68 minutes and 39 seconds. No stage paused for human coordination.

At 18:23:44 UTC, the first connection arrived at the marimo /terminal/ws endpoint. Every command from the first second followed the same machine-optimized structure: echo '---' delimiters for output parsing, 2>&1 | head -N bounded captures to prevent output hangs, -P pager=off flags to disable interactive less, and quoted-EOF HEREDOCs bundling multiple queries into single execution units. This formatting appeared in every command across the entire session, across all IP addresses involved. A human operator does not maintain that consistency across hundreds of commands on multiple network paths simultaneously.

The 48-minute gap between credential harvest at 18:24:14 and the first AWS API call at 19:26:31 represents the agent's context-switching time, or a deliberate cooldown to reduce detection surface. During this gap, no commands executed on the compromised host.

The AWS pivot phase completed in 22 seconds. The agent issued 12 redundant secretsmanager:GetSecretValue calls across 11 separate Cloudflare Workers egress IPs. The redundancy is a behavioral AI signature: a human operator calls a secret once. The agent called it 12 times, each call from a different execution context within the agent framework, each independently retrieving the same value. The distribution across 11 IPs prevented any single IP from sending more than two requests, defeating threshold-based alerting at every point.

The final 113-second phase opened eight parallel SSH sessions from six distinct IPs, enumerated the internal database schema without any prior knowledge of its structure, and exfiltrated the full contents of six production tables. The agent located a credential table it had no advance knowledge of by running a live schema query and reasoning about which tables contained the highest-value data.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The Four Behavioral Signatures That Prove an AI Agent Ran This Attack

Sysdig identified four properties that distinguish LLM agent execution from both human-operated attacks and traditional scripted automation. These signatures are now detection targets for threat hunters.

Signature 1, Improvised target enumeration. The internal database hostname was opaque. No application identifier existed on disk and no schema dump was pre-staged. The agent discovered the credential table through live pg_tables enumeration and immediately targeted it. A scripted playbook cannot adapt to an unknown schema. A human operator could, but the command velocity across the session ruled out human-directed execution. The agent composed the exfiltration path live, based solely on what it found in the environment.

Signature 2, Planning comment leakage. Embedded in the command stream was the Chinese-language annotation "看还能做什么", "See what else we can do." This comment appeared across six distinct IP addresses at sub-second cadence. It leaked from the LLM agent's internal reasoning chain into its command output. Human operators do not annotate their actions in multi-IP command streams at sub-second velocity. The comment is a direct artifact of the agent's chain-of-thought generation appearing in the executed output.

Signature 3, Machine-optimized command structure. Every command in the session used identical formatting: echo '---' output delimiters, 2>&1 | head -N bounded captures, -P pager=off to disable interactive paging, and suppressed error streams. This consistency across hundreds of commands spanning multiple IP addresses and multiple attack phases indicates a single automated process generating all commands. Human operators format commands for readability. LLM agents format commands for machine output parsing.

Signature 4, Output-dependent handoffs. The agent fed each command's output directly into subsequent actions. The PGPASSWORD value came from ~/.pgpass content captured earlier. The SecretId for the AWS Secrets Manager call came from the ListSecrets response. Directory paths came from prior ls /home/ enumeration. This chaining, where each step depends on the actual result of the previous step rather than a hardcoded value, is the defining operational difference between a live AI agent and a pre-scripted tool.

What is new here is the AI-driven engine on the other side of the connection. The attacker used an LLM agent to adaptively continue post-compromise actions. The chain still landed on a credential table within minutes, despite no pre-staged schema.

Sysdig Threat Research Team, AI Agent at the Wheel, May 2026

Who Is at Risk? Marimo Deployments in Enterprise Environments

Any organization running marimo notebook instances accessible from the public internet on versions 0.20.4 or earlier is exposed to initial access via CVE-2026-39987. The LLM agent post-exploitation risk extends to every host, credential store, and internal system reachable from that marimo instance.

Marimo is a reactive Python notebook platform widely used in data science, machine learning, and analytics workflows. Enterprise deployments frequently run marimo on cloud instances with access to production credentials, cloud APIs, and internal databases. The Sysdig incident demonstrates the exact risk: a development notebook environment connected to AWS Secrets Manager, an SSH bastion, and a production PostgreSQL database. An attacker who gains RCE on the notebook gains the same cloud access the notebook's host environment was granted.

The most exposed deployment pattern is a marimo instance running in a cloud environment where the host has IAM roles or stored credentials with access to other cloud services. The notebook is a development convenience. The AWS credentials it stores are production-grade. MLOps platforms, data pipeline orchestrators, and Jupyter-adjacent environments that follow similar deployment patterns face identical exposure.

The LLM agent post-exploitation pattern is not limited to marimo. Any application RCE that lands on a host with cloud credentials, secret stores, or internal network access is now subject to the same four-pivot chain: credential harvest, cloud API pivot, internal network access, data exfiltration. CVE-2026-39987 is the entry point in this specific incident. The capability to autonomously execute that chain exists wherever an attacker can deploy an LLM agent post-compromise.

For context on the broader AI-assisted attack escalation, including the first confirmed LLM-generated exploit code in the wild, see the AI-built zero-day that bypassed 2FA, documented by Google GTIG in May 2026. The marimo incident confirms that AI is no longer only in the exploit development phase: it is now operational in the post-compromise phase as well.

IOCs and Detection: How to Hunt for LLM Agent Activity in Your Logs

Detection of the Marimo CVE-2026-39987 compromise and LLM agent activity requires log sources covering the marimo application, AWS CloudTrail, SSH access logs, and database query logs.

Marimo endpoint detection. Any access to /terminal/ws from an unexpected source IP is an exploitation indicator. Restrict this endpoint to trusted network ranges via reverse proxy or firewall rules. Log all WebSocket connections to /terminal/ws with source IP, timestamp, and session duration.

AWS CloudTrail behavioral detection. The LLM agent's redundant API call pattern produces a distinctive CloudTrail signature: multiple secretsmanager:GetSecretValue calls for the same SecretId arriving within seconds from multiple source IPs in the 104.28.0.0/16 Cloudflare Workers range. Alert on: more than two GetSecretValue calls for the same SecretId within 60 seconds, GetSecretValue calls originating from Cloudflare Workers IP space (AS13335) rather than your cloud instance's expected IP, and sts:GetCallerIdentity calls that do not match expected service principals.

SSH behavioral detection. Eight parallel SSH sessions opened simultaneously from Cloudflare Workers IPs to an internal bastion is anomalous. Alert on: multiple simultaneous SSH connections to the same bastion from different source IPs within a 30-second window, SSH connections originating from Cloudflare Workers IPs (104.28.0.0/16) to internal hosts, and SSH session durations under 120 seconds with high command volume.

Database query detection. The agent's schema enumeration via pg_tables followed immediately by large SELECT queries across multiple tables is a database threat hunting signature. Alert on: SELECT tablename FROM pg_tables immediately followed by bulk SELECT from tables named credential, api_key, or user, and application-user PostgreSQL connections issuing pg_tables queries without prior application context.

LLM agent command signature. Hunt for the echo '---' delimiter pattern in SSH session logs and shell command audit logs. This pattern in command streams that span multiple source IPs at high velocity is a strong indicator of machine-generated command execution.

For a related supply chain attack pattern where AI tooling was used to generate malware variants that evaded signature detection on first deployment, see the SLOPOLY AI-generated malware and Hive0163 Interlock ransomware breakdown.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Immediate Remediation Steps for CVE-2026-39987

Update marimo to version 0.23.0 immediately. If running an internet-accessible instance on any version through 0.20.4, treat it as compromised pending investigation.

Update marimo to version 0.23.0 or later

Run pip install --upgrade marimo or update via your package manager. Version 0.23.0 closes CVE-2026-39987 by adding authentication controls on the /terminal/ws WebSocket endpoint. Any version through 0.20.4 is vulnerable.

Block /terminal/ws from public internet immediately

If patching is delayed, configure your reverse proxy or firewall to restrict access to /terminal/ws to trusted IP ranges only. This eliminates the attack vector without requiring an immediate application upgrade.

Rotate all AWS credentials from any affected instance

Any marimo host running 0.20.4 or earlier that was internet-accessible should have all AWS access keys and IAM credentials rotated. The LLM agent specifically targeted ~/.aws/credentials and environment variables. Assume those credentials are compromised.

Audit AWS CloudTrail for secretsmanager:GetSecretValue anomalies

Search CloudTrail for GetSecretValue calls arriving from Cloudflare Workers IPs (104.28.0.0/16, AS13335) or in clusters of more than two calls for the same SecretId within 60 seconds. These patterns indicate the LLM agent's redundant retrieval behavior.

Rotate all SSH keys reachable from any compromised host

The LLM agent retrieved an SSH private key from AWS Secrets Manager and used it to access an internal bastion. Rotate any SSH key stored in Secrets Manager, in .env files, or in ~/.ssh/ on any host that was running a vulnerable marimo instance.

Rotate all database credentials and application API keys

The agent exfiltrated contents of api_key, credential, and user tables from the internal PostgreSQL database. Rotate all database passwords and application API keys stored in or accessible from the compromised environment. Notify downstream applications of the credential rotation.

Deploy pg_tables enumeration alerting on internal databases

Add a detection rule to your database audit log pipeline: SELECT tablename FROM pg_tables followed within 60 seconds by SELECT * or SELECT ... FROM tables named credential, api_key, user, or message from an application-level user account. This pattern indicates autonomous schema discovery.

Why LLM Agent Post-Exploitation Matters for Your Organization

The Marimo CVE-2026-39987 incident marks a transition in the threat landscape: AI is no longer only accelerating exploit development. It is now operational in the post-compromise phase, autonomously executing multi-stage attack chains with adaptive decision-making at each step.

The key shift is the decision layer. Traditional scripted post-exploitation tools execute a fixed sequence of commands regardless of what they find. LLM agents observe the environment and reason about the next action. When the marimo agent found an opaque database hostname with no schema pre-staged, it did not fail and exit. It ran a live schema query, identified a credential table, and exfiltrated it. That adaptive behavior breaks the core assumption behind most current detection strategies: that post-exploitation follows predictable patterns.

This capability does not require nation-state resources. The tools to build an LLM-powered attack agent are commercially available. The AI APIs that would power this kind of autonomous post-compromise operation are accessible on the open market. The marimo incident involved an unknown attacker group, not a documented APT. The capability demonstrated here is available to any threat actor willing to invest the operational time to deploy it.

The organizational risk is concentrated in three areas. Development and research environments running notebook platforms with cloud credential access are the immediate exposure. MLOps pipelines and data science infrastructure that follow similar deployment patterns, notebook platform on a cloud host with API keys and secret store access, are the next tier. Any environment where an RCE vulnerability can land an attacker on a host connected to internal systems is now in scope for automated multi-pivot exfiltration without requiring a human operator to direct each step.

The three defenses that matter most are: removing internet exposure from any development tool that stores cloud credentials, implementing runtime detection for the LLM agent behavioral signatures Sysdig documented, and treating cloud credential rotation as a standard incident response step whenever any public-facing application is compromised. The marimo incident ended with a full internal database dump in 68 minutes. A defender who catches the /terminal/ws WebSocket connection in the first minute eliminates all four subsequent pivots.

The bottom line

LLM agent post-exploitation via Marimo CVE-2026-39987 produced a full internal database dump in under two minutes after gaining initial RCE access, the first confirmed case of an AI agent autonomously composing a multi-pivot kill chain in the wild. Three key takeaways: update marimo to 0.23.0 now, CVE-2026-39987 is on the CISA KEV list with active exploitation confirmed. Rotate all AWS credentials and SSH keys on any marimo host that was internet-accessible on versions through 0.20.4, the LLM agent specifically targeted those credential stores. Deploy CloudTrail alerting for clustered secretsmanager:GetSecretValue calls from Cloudflare Workers IPs before end of day today: that is the behavioral signature of this specific attack pattern in your cloud audit logs.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is an LLM agent post-exploitation attack?

An LLM agent post-exploitation attack is an intrusion where an artificial intelligence agent autonomously executes the post-compromise phase of a cyberattack, issuing commands and adapting based on real-time output from the target environment rather than following a pre-written script. The Sysdig-documented Marimo incident on May 10, 2026 is the first confirmed in-the-wild case: an LLM agent chained four pivots from initial RCE to internal database exfiltration in 68 minutes without a human operator directing each step.

What is CVE-2026-39987 and which marimo versions are affected?

CVE-2026-39987 is a critical pre-authenticated remote code execution vulnerability in the marimo Python notebook platform affecting all versions through 0.20.4. The flaw resides in the /terminal/ws WebSocket endpoint, which marimo exposes for in-notebook terminal access. In vulnerable versions this endpoint accepts connections without authentication, allowing any remote attacker to execute arbitrary commands on the underlying server. The fix is marimo version 0.23.0 or later. CISA added CVE-2026-39987 to its Known Exploited Vulnerabilities catalog after confirmed active exploitation.

How did the LLM agent know to look for cloud credentials after the marimo exploit?

The LLM agent used standard post-compromise credential enumeration paths: /app/.env files, /etc/environment, /proc/*/environ, and ~/.aws/credentials. These locations are well-known to any attacker and are part of general post-compromise playbooks. What distinguished the agent was adaptive behavior after this step: it did not have the internal database schema pre-staged, so it ran a live pg_tables query to discover what tables existed and reasoned about which ones contained the highest-value data. The credential discovery was systematic; the database targeting was adaptive.

Can a SIEM detect LLM agent activity in post-exploitation?

Yes, with the right data sources. The marimo LLM agent left four detectable signatures: echo '---' delimiters in every command (hunt in shell audit logs), clustered secretsmanager:GetSecretValue calls from Cloudflare Workers IPs in AWS CloudTrail, eight simultaneous SSH sessions from multiple IPs to the same bastion, and SELECT tablename FROM pg_tables immediately followed by bulk table dumps in database audit logs. None of these signatures individually requires AI-specific detection. They are behavioral anomalies detectable with standard SIEM rules if the underlying log sources are collected.

How long did the Marimo LLM agent attack take from RCE to database exfiltration?

The complete attack ran 68 minutes and 39 seconds from the first WebSocket connection to the marimo /terminal/ws endpoint to the final database table dump. The database exfiltration phase itself, covering schema enumeration and full dumps of six tables (api_key, credential, user, variable, flow, message), completed in 113 seconds. There was a 48-minute gap between the initial credential harvest and the first AWS API call, likely representing agent context-switching time or a deliberate cooldown period.

How do I protect AWS Secrets Manager from credential replay attacks like this?

Implement three controls: restrict which IAM identities and source networks can call secretsmanager:GetSecretValue using resource-based policies; enable CloudTrail logging for Secrets Manager API calls and alert on more than two GetSecretValue calls for the same SecretId within 60 seconds; and rotate secrets regularly with automated rotation enabled. Additionally, avoid storing SSH private keys in Secrets Manager on the same account that application workloads can access, use separate accounts or separate permission boundaries for infrastructure secrets and application secrets.

What database tables did the attacker exfiltrate in the Marimo LLM agent attack?

The LLM agent exfiltrated the schema and full contents of six PostgreSQL tables: api_key, credential, user, variable, flow, and message. The agent discovered these tables through a live pg_tables enumeration query rather than prior knowledge of the schema. It targeted the credential and api_key tables specifically, indicating the agent reasoned about which table names were most likely to contain high-value data. The full exfiltration completed in 113 seconds across eight parallel SSH sessions.

How is an LLM agent attack different from a traditional scripted cyberattack?

Traditional scripted attacks execute a fixed sequence of commands regardless of what they encounter. If the environment does not match the script's assumptions, the script fails or produces no result. An LLM agent observes each output and reasons about the next action, allowing it to adapt to unknown schemas, unexpected credential locations, or novel network paths. In the marimo incident, the agent found an opaque database hostname with no pre-staged schema and located a credential table through live enumeration. A script would have failed at that step. The adaptive decision layer is what makes LLM agents a qualitatively different post-exploitation threat.

Sources & references

  1. Sysdig Threat Research Team, AI Agent at the Wheel: How an Attacker Used LLMs to Move from a CVE to an Internal Database in 4 Pivots
  2. The Hacker News, Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
  3. CISA, Known Exploited Vulnerabilities Catalog: CVE-2026-39987
  4. NVD, CVE-2026-39987 Detail

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.