LLM Agents Enter the Attack Chain: Marimo CVE-2026-39987 Breach Shows AI-Driven Post-Exploitation

An attacker used a large language model agent to orchestrate post-compromise activity following exploitation of CVE-2026-39987 in Marimo, a Python-based interactive notebook platform. Sysdig's analysis reveals the first documented case of an LLM agent driving live post-exploitation operations, extracting credentials, pivoting through AWS infrastructure, and exfiltrating an entire PostgreSQL database in under two minutes.

The attack marks a fundamental shift in threat actor capabilities. Traditional attacks rely on pre-scripted playbooks that fail when encountering unexpected conditions. LLM agents adapt in real-time, reasoning through obstacles and composing attack chains on the fly based on what they discover in the target environment.

Attack Chain Analysis

CVE-2026-39987 is a critical pre-authenticated remote code execution vulnerability affecting Marimo versions up to and including 0.20.4. The flaw allows unauthenticated attackers to execute arbitrary system commands. On May 10, 2026, the attacker compromised an internet-exposed Marimo notebook using this vulnerability, initiating the attack chain that lasted just over one hour from initial access to complete database exfiltration.

After gaining access, the attacker extracted two cloud credentials from the compromised host. These credentials were replayed through a distributed egress pool to retrieve an SSH private key from AWS Secrets Manager. The attacker then used this key to authenticate against an SSH bastion server, launching eight parallel SSH sessions to the downstream target. Within two minutes of accessing the database server, the attacker had exfiltrated both the schema and complete contents of an internal PostgreSQL database.

Four Indicators of LLM-Driven Operations

Sysdig identified four technical indicators proving an LLM agent orchestrated the attack rather than human operators or traditional scripts. First, the attacker successfully improvised a complete database dump without any prior knowledge of the schema. The database hostname was opaque with no application identifier on disk and no pre-staged schema information, yet the attack chain located a credential table within minutes.

Second, a Chinese-language planning comment—"看还能做什么" ("See what else we can do")—leaked directly into the command stream during credential search operations. This internal reasoning verbalization is characteristic of LLM chain-of-thought processing inadvertently exposed in output.

Third, the command structure revealed machine-optimized formatting. Commands were separated by consistent delimiters, outputs were captured in bounded formats, interactive tools like 'less' were disabled, and error streams were systematically discarded. These patterns optimize for programmatic parsing rather than human readability.

Fourth, value handoffs demonstrated AI agent workflow patterns. Database passwords were extracted by the agent feeding its own previous output—a cat command on the ~/.pgpass file—into subsequent actions. Similarly, before executing 'cat ~/.ssh/id_ed25519' to retrieve an SSH key, the agent first ran 'ls -la ~/.ssh/id_ed25519*' to confirm the file's existence. This validate-then-execute pattern reflects programmatic tool chaining rather than human intuition.

The Economics of Agent-Based Attacks

Traditional scripted attacks require engineering time to build per-target playbooks. Each new target demands analysis, customization, and testing before deployment. LLM agents fundamentally change this economic equation. Instead of playbook authorship, the constraint becomes inference budget—the computational cost of running the LLM.

Agent operators carry general knowledge about application classes and compose attack chains live to fit each target. When encountering a missing file, unexpected schema, or authentication failure, scripted attackers abort or fall back to hard-coded alternatives. LLM agents read the error, reason about alternatives, and continue adapting. This adaptiveness is the defender-relevant property that fundamentally alters the threat landscape.

Technical Details: CVE-2026-39987

CVE-2026-39987 enables pre-authenticated remote code execution in Marimo, allowing attackers to execute arbitrary system commands without authentication. The vulnerability affects all versions prior to 0.20.4 and was patched in version 0.23.0 released in April 2026. The flaw has been under active exploitation since disclosure, with threat actors using it for reconnaissance against honeypot systems and sensitive data harvesting.

The severity stems from Marimo's typical deployment configuration. Organizations frequently expose these interactive notebook environments to the internet for collaboration purposes, creating a large attack surface. The pre-authentication nature of the vulnerability means no credentials or prior access is required—simply identifying an exposed instance is sufficient for exploitation.

Immediate Actions Required

• Update all Marimo instances to version 0.23.0 or later immediately
• Conduct comprehensive audits to identify any internet-accessible Marimo notebooks in your environment
• Rotate all credentials, API keys, and SSH keys that may have been accessible from compromised systems
• Review AWS CloudTrail logs for unauthorized Secrets Manager access attempts
• Implement network segmentation to prevent lateral movement from notebook environments to production databases
• Enable behavioral monitoring to detect anomalous command patterns characteristic of AI agent operations
• Monitor for rapid sequential operations across multiple sessions, indicating potential agent-driven attacks

Long-Term Defense Strategy

The emergence of LLM agents in post-exploitation requires fundamental changes to defensive strategy. Traditional detection approaches based on known attack signatures and static playbooks will prove insufficient against adaptive adversaries. Security teams must implement behavioral analytics that identify rapid learning patterns, unusual command sequencing, and the characteristic validate-then-execute loops that betray automated reasoning.

Credential management becomes even more critical. The attack chain exploited multiple credential stores—environment variables, AWS Secrets Manager, and SSH keys—demonstrating how agents efficiently map and exploit credential relationships. Implement just-in-time credential provisioning, eliminate standing privileges where possible, and enforce strict time-based access controls that limit the window for credential abuse.

Network segmentation must assume compromise of edge systems. In this incident, a compromised notebook environment led directly to production database exfiltration. Isolate development and collaboration tools from production infrastructure, implement zero-trust network architectures, and enforce strict egress filtering to prevent rapid credential validation against multiple targets.

The defender community faces a new category of threat: adversaries who don't need to see your environment before operating inside it. LLM agents bring general knowledge and adaptive reasoning to post-exploitation, reducing the barrier from specialized expertise to inference budget. Security architectures must evolve to detect and disrupt adaptive adversaries rather than simply blocking known bad patterns.