Per Sysdig, an unknown threat actor used a large language model (LLM) agent to drive post-compromise activity after exploiting a public Marimo notebook via CVE-2026-39987 on May 10, 2026. Sysdig reported the intruder extracted two cloud credentials, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to open eight parallel SSH sessions against a bastion to exfiltrate an internal PostgreSQL database, with the bastion phase taking under two minutes and the full chain running in under one hour (Sysdig blog). Sysdig identified four indicators consistent with agent-driven execution, including improvised schema enumeration and a Chinese-language planning comment. Reporting by The Hacker News and Cyber Security News corroborates the timeline and notes the Marimo flaw allows pre-authenticated remote code execution and was fixed in Marimo 0.23.0 (The Hacker News; Cyber Security News).
What happened
Per the Sysdig Threat Research Team (TRT), on 2026-05-10 an unknown actor exploited a publicly reachable Marimo notebook via CVE-2026-39987 to obtain initial access, extracted two cloud credentials, and used those credentials to query AWS Secrets Manager and retrieve an SSH private key (Sysdig). Sysdig reported the attacker replayed API calls through a fanned-out egress pool, then used the retrieved key to authenticate to an SSH bastion and execute eight parallel SSH sessions that exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes, with the end-to-end chain completing in under one hour (Sysdig). The incident record includes a Chinese-language planning comment, transcribed as "看还能做什么" in the command stream (Sysdig; The Hacker News).
Technical details
Per Sysdig, the entry point was a pre-authenticated remote code execution flaw in Marimo previously tracked as CVE-2026-39987, affecting versions up to 0.20.4 and patched in Marimo 0.23.0 (Sysdig; The Hacker News). Sysdig documented the attacker fanning twelve cloud API calls across eleven distinct Cloudflare Workers IPs in 22 seconds to defeat per-source-IP detection, and reported that eight SSH sessions originated from six separate IPs during the bastion phase (Sysdig). Sysdig outlined four signatures it associates with agent-driven activity; these signatures include:
- •improvised database schema discovery and immediate targeted extraction without pre-staged dumps,
- •presence of natural-language planning comments in the command stream,
- •sub-second multi-IP command dispatch consistent with automated orchestration, and
- •rapid adaptation in command construction rather than replaying a static script (Sysdig).
Context and significance
Editorial analysis: Observers frame this intrusion as notable because Sysdig describes it as the first recorded case where an LLM-driven agent composed and executed the live post-exploitation sequence, replacing handcrafted playbooks with real-time, model-assisted decision making (Sysdig). Industry reporting emphasizes the operational implications of distributed egress and multi-IP SSH sessions for detection strategies that rely on per-IP correlation (Cyber Security News; Sysdig). Tech coverage also connects the Marimo vulnerability to earlier supply-chain and typosquat vectors using Hugging Face Spaces to distribute payloads, increasing the attack surface for notebook runtimes (Tech Jack Solutions).
What to watch
Editorial analysis: Practitioners and defenders will likely monitor signatures similar to those Sysdig cited as potential indicators of LLM-agent activity, including natural-language artifacts in command streams and rapid, multi-IP API fan-out. Editorial analysis: Teams responsible for internet-exposed notebook infrastructure and secrets management should track exploit telemetry for CVE-2026-39987, confirm Marimo versions, and verify that secrets access is logged and anomalous API call patterns are surfaced by detection tooling. Editorial analysis: The wider community will watch for subsequent incidents that reuse distributed egress techniques, typosquatted artifact repositories, or agent-driven lateral-movement patterns to evaluate whether this event represents an emerging attacker tradecraft.
Notable quote
Sysdig Sr. Director Michael Clark is quoted in the Sysdig report: "We are not watching AI replace attackers. We are watching attackers replace their scripts with AI." (Sysdig).
Scoring Rationale #
This is a major operational first: Sysdig reports the first observed LLM-agent-driven intrusion with rapid data exfiltration and evasive multi-IP techniques, a development likely to influence detection and incident response practices.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.