# Attackers Use LLM Agent After Marimo Exploit > Source: > Published: 2026-05-29 17:24:43.042196+00:00 # Attackers Use LLM Agent After Marimo Exploit Per Sysdig, an unknown threat actor used a large language model (LLM) agent to drive post-compromise activity after exploiting a public Marimo notebook via **CVE-2026-39987** on May 10, 2026. Sysdig reported the intruder extracted two cloud credentials, replayed them through a fanned-out egress pool to retrieve an SSH private key from **AWS Secrets Manager**, and used that key to open eight parallel SSH sessions against a bastion to exfiltrate an internal **PostgreSQL** database, with the bastion phase taking under two minutes and the full chain running in under one hour (Sysdig blog). Sysdig identified four indicators consistent with agent-driven execution, including improvised schema enumeration and a Chinese-language planning comment. Reporting by The Hacker News and Cyber Security News corroborates the timeline and notes the Marimo flaw allows pre-authenticated remote code execution and was fixed in **Marimo 0.23.0** (The Hacker News; Cyber Security News). ### What happened Per the Sysdig Threat Research Team (TRT), on 2026-05-10 an unknown actor exploited a publicly reachable **Marimo** notebook via **CVE-2026-39987** to obtain initial access, extracted two cloud credentials, and used those credentials to query **AWS Secrets Manager** and retrieve an SSH private key (Sysdig). Sysdig reported the attacker replayed API calls through a fanned-out egress pool, then used the retrieved key to authenticate to an SSH bastion and execute eight parallel SSH sessions that exfiltrated the schema and full contents of an internal **PostgreSQL** database in under two minutes, with the end-to-end chain completing in under one hour (Sysdig). The incident record includes a Chinese-language planning comment, transcribed as "看还能做什么" in the command stream (Sysdig; The Hacker News). ### Technical details Per Sysdig, the entry point was a pre-authenticated remote code execution flaw in Marimo previously tracked as **CVE-2026-39987**, affecting versions up to 0.20.4 and patched in **Marimo 0.23.0** (Sysdig; The Hacker News). Sysdig documented the attacker fanning twelve cloud API calls across eleven distinct **Cloudflare Workers** IPs in 22 seconds to defeat per-source-IP detection, and reported that eight SSH sessions originated from six separate IPs during the bastion phase (Sysdig). Sysdig outlined four signatures it associates with agent-driven activity; these signatures include: - •improvised database schema discovery and immediate targeted extraction without pre-staged dumps, - •presence of natural-language planning comments in the command stream, - •sub-second multi-IP command dispatch consistent with automated orchestration, and - •rapid adaptation in command construction rather than replaying a static script (Sysdig). ### Context and significance Editorial analysis: Observers frame this intrusion as notable because Sysdig describes it as the first recorded case where an LLM-driven agent composed and executed the live post-exploitation sequence, replacing handcrafted playbooks with real-time, model-assisted decision making (Sysdig). Industry reporting emphasizes the operational implications of distributed egress and multi-IP SSH sessions for detection strategies that rely on per-IP correlation (Cyber Security News; Sysdig). Tech coverage also connects the Marimo vulnerability to earlier supply-chain and typosquat vectors using Hugging Face Spaces to distribute payloads, increasing the attack surface for notebook runtimes (Tech Jack Solutions). ### What to watch Editorial analysis: Practitioners and defenders will likely monitor signatures similar to those Sysdig cited as potential indicators of LLM-agent activity, including natural-language artifacts in command streams and rapid, multi-IP API fan-out. Editorial analysis: Teams responsible for internet-exposed notebook infrastructure and secrets management should track exploit telemetry for **CVE-2026-39987**, confirm Marimo versions, and verify that secrets access is logged and anomalous API call patterns are surfaced by detection tooling. Editorial analysis: The wider community will watch for subsequent incidents that reuse distributed egress techniques, typosquatted artifact repositories, or agent-driven lateral-movement patterns to evaluate whether this event represents an emerging attacker tradecraft. ### Notable quote Sysdig Sr. Director Michael Clark is quoted in the Sysdig report: "We are not watching AI replace attackers. We are watching attackers replace their scripts with AI." (Sysdig). ## Scoring Rationale This is a major operational first: Sysdig reports the first observed LLM-agent-driven intrusion with rapid data exfiltration and evasive multi-IP techniques, a development likely to influence detection and incident response practices. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. [Try 250 free problems](/problems)