Full Report
An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised
Analysis Summary
# Incident Report: LLM Agent-Driven Post-Exploitation of Marimo Notebooks
## Executive Summary
An unknown threat actor exploited a critical RCE vulnerability (CVE-2026-39987) in a publicly accessible Marimo notebook to gain initial access to a cloud environment. The attacker utilized a Large Language Model (LLM) agent to conduct highly adaptive post-compromise actions, leading to the theft of AWS credentials and the exfiltration of an internal PostgreSQL database in under two minutes. This incident highlights a shift from static scripted attacks to dynamic, machine-driven exploitation that can adapt to unfamiliar environments in real-time.
## Incident Details
- **Discovery Date:** May 10, 2026 (Reported by Sysdig)
- **Incident Date:** May 10, 2026
- **Affected Organization:** Not disclosed (Honeypot environment utilized for research)
- **Sector:** Technology / Cloud Infrastructure
- **Geography:** Global (Internet-reachable)
## Timeline of Events
### Initial Access
- **Date/Time:** May 10, 2026
- **Vector:** Exploitation of CVE-2026-39987
- **Details:** Attackers exploited an unauthenticated remote code execution (RCE) vulnerability in an internet-facing Marimo notebook (versions ≤ 0.20.4).
### Lateral Movement
- **Credential Harvesting:** Extracted AWS access keys from the compromised host environment.
- **Privilege Escalation:** Replayed credentials through a fanned-out egress pool to access AWS Secrets Manager.
- **Pivot:** Retrieved an SSH private key from Secrets Manager to access a downstream SSH bastion server.
### Data Exfiltration/Impact
- **Database Compromise:** Launched eight parallel SSH sessions from the bastion server to an internal PostgreSQL database.
- **Exfiltration:** Successfully siphoned the schema and full contents of the internal database in less than two minutes.
### Detection & Response
- **How it was discovered:** Monitored by Sysdig’s security platform; identified unusual command patterns and LLM "leakage."
- **Response actions taken:** Analysis of the attack chain; disclosure of LLM-specific indicators of compromise (IoCs).
## Attack Methodology
- **Initial Access:** RCE via Marimo vulnerability CVE-2026-39987.
- **Persistence:** Not explicitly detailed; focused on rapid execution.
- **Privilege Escalation:** Retrieval of higher-privilege SSH keys via AWS Secrets Manager.
- **Defense Evasion:** Use of egress pools to mask origin; discarding `stderr` and disabling `less` to minimize noise.
- **Credential Access:** Extraction of cloud credentials from local environment files.
- **Discovery:** LLM-driven reconnaissance (e.g., `ls` commands preceding `cat` to verify file existence).
- **Lateral Movement:** SSH tunneling/sessions via a bastion host.
- **Collection:** Parallelized database dumping.
- **Exfiltration:** High-speed data transfer over SSH.
- **Impact:** Complete loss of confidentiality for the internal PostgreSQL database.
## Impact Assessment
- **Financial:** Not disclosed; inference budget-related costs for the attacker.
- **Data Breach:** Full schema and data exfiltration of an internal PostgreSQL database.
- **Operational:** Rapid compromise (under one hour end-to-end) limits manual intervention time.
- **Reputational:** High risk if sensitive customer data is stored in the affected database.
## Indicators of Compromise
- **Behavioral Indicators:**
- Commands separated by "---" delimiters.
- Leakage of LLM system/planning notes (e.g., Chinese-language comments like "看还能做什么").
- Non-interactive command design (machine-optimized output captures).
- Sequential "check-then-act" patterns (e.g., `ls` followed immediately by `cat`).
- **Network Indicators:**
- Connection to AWS Secrets Manager from unauthorized notebook instances.
- Multiple parallel SSH sessions (8+) from a single bastion to a database.
## Response Actions
- **Containment:** Disconnection of the compromised Marimo instance.
- **Eradication:** Patching Marimo to version 0.23.0 or higher.
- **Recovery:** Rotating all compromised AWS access keys and SSH private keys.
## Lessons Learned
- **Adaptability:** LLM agents do not require pre-authored playbooks; they can navigate "opaque" environments and interpret surprises (like missing files) in real-time.
- **Speed:** The window for human response has effectively closed for certain stages of the attack, as the AI agent can move from discovery to exfiltration in minutes.
- **Automation Detection:** Traditional detection must look for machine-optimized command patterns rather than just known malicious strings.
## Recommendations
- **Patch Management:** Immediately update Marimo notebooks to version 0.23.0+.
- **Network Hardening:** Ensure Marimo notebooks and similar development tools are not exposed to the public internet without strong authentication (VPN/SSO).
- **Secrets Management:** Limit the scope of IAM roles attached to compute instances (Principle of Least Privilege).
- **Monitoring:** Implement runtime security to detect unusual terminal patterns and automated API calls to Secrets Manager.