A new kind of cyberattack is changing how defenders must think about intrusion detection. On May 10, 2026, a threat actor used a large language model (LLM) agent to drive a full post-exploitation chain, starting from an exposed notebook server and ending with an internal database dumped in under two minutes.
This was not a pre-scripted attack. Commands were composed in real time, adapting at each step to whatever the target revealed.
The entry point was a vulnerable marimo notebook exposed to the internet. The attacker exploited CVE-2026-39987, a flaw allowing a one-WebSocket-request shell on any unpatched marimo server.
Cloud credentials were harvested from environment files and the AWS credentials store, then used to retrieve an SSH private key from AWS Secrets Manager.
That key opened eight parallel SSH sessions against a downstream bastion server, from which an internal PostgreSQL database was fully exfiltrated.
Researchers at Sysdig, who captured the intrusion through their Threat Research Team (TRT), described it as the first AI-agent-driven intrusion they have ever recorded.
.webp)
Sysdig said in a report shared with Cyber Security News (CSN) that the full chain ran end-to-end in under one hour. Sr. Director Michael Clark put it plainly: “We are not watching AI replace attackers. We are watching attackers replace their scripts with AI.”
What made this attack notable was how traffic was routed to avoid detection. Twelve AWS API calls were fanned across eleven distinct Cloudflare Workers IP addresses in just 22 seconds, defeating the per-source-IP correlation cloud defenders rely on.
Eight SSH sessions came from six separate IPs simultaneously during the bastion phase. This distributed approach breaks traditional IP-based alerting entirely.
Hackers Use LLM Agent
The Sysdig TRT identified four signs that an LLM agent drove the attack. First, the agent improvised a database dump with no prior schema knowledge, enumerating tables and immediately targeting a credential table that does not exist in the application the schema resembled.
It was reasoning from general knowledge, not pre-staged intelligence. Second, a Chinese-language planning comment translating to “See what else we can do” appeared directly in the command stream.
That internal monologue, dispatched across six IPs at sub-second pace, is not something a human typist or static script would produce.
Third, every command was built for machine parsing, using structured separators, bounded output caps, and discarded error streams so the agent could read each result cleanly.
The fourth sign was how values flowed between steps. The database password came from the .pgpass file read moments earlier. The SSH key path followed a listing that confirmed the file existed.
The AWS secret ID was selected from a ListSecrets response just 20 seconds before retrieval. The agent was feeding its own prior output into each next action, live and without human direction.
Defender Implications and Recommended Response
The most pressing implication is that signature-based detection is losing ground. A scripted attacker leaves repeatable fingerprints like the same command order or probe sequence each run.
An LLM agent rewrites its approach for every target, making static rules less reliable. Detection must shift toward what the attacker is accomplishing, such as credential access or database exfiltration, rather than the specific commands used.
Sysdig recommends updating marimo to version 0.23.0 or later immediately. If upgrading is not possible, access to the /terminal/ws endpoint should be restricted or the terminal feature disabled.
Any publicly reachable marimo instance should be treated as potentially compromised, and all associated credentials, API keys, SSH keys, and database passwords should be rotated. CVE-2026-39987 is on CISA’s Known Exploited Vulnerabilities catalog, and its federal remediation deadline has passed.
Organizations should enable deep telemetry across the full network and deploy runtime threat detection that flags behavior-based patterns.
An LLM-powered attacker no longer needs to map your environment to operate inside it. Speed, adaptiveness, and distributed egress are now standard features of the threat.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 157.66.54.26 | Origin IP for both marimo terminal sessions (AS141892, Indonesia) |
| IP Range | 104.28.0.0/16 | Cloudflare Workers egress pool (AS13335) used for AWS API calls and SSH bastion sessions |
| IP Address | 104.28.162.160 | Cloudflare Workers IP used in schema enumeration and HEREDOC PostgreSQL dump |
| IP Address | 104.28.165.251 | Cloudflare Workers IP used in targeted credential table dump |
| IP Address | 104.28.165.169 | Cloudflare Workers IP used in credential-file search block |
| IP Address | 104.28.157.50 | Cloudflare Workers IP used in container and SSH-key enumeration |
| CVE | CVE-2026-39987 | Critical marimo terminal WebSocket RCE vulnerability (entry point for the attack chain) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use LLM Agent to Move From Marimo RCE to Internal Database in Four Pivots appeared first on Cyber Security News.
