Attackers Deploy LLM Agent for Post-Exploitation in Marimo Attack

Security researchers at Sysdig have documented what they describe as the first AI-agent-driven intrusion on record: an attacker exploited a publicly-accessible Marimo notebook, then deployed a large language model (LLM) agent to conduct post-compromise reconnaissance, lateral movement, and data exfiltration—all within approximately one hour.

The attack, observed on May 10, 2026, represents a significant evolution in how threat actors leverage AI for offensive operations.

The Attack Chain

The intrusion began with exploitation of CVE-2026-39987, a vulnerability in Marimo that allows a single WebSocket request to achieve shell access on unpatched servers. The vulnerability is already on CISA's Known Exploited Vulnerabilities catalog, with the federal remediation deadline having passed.

From the compromised Marimo instance, the attack progressed through distinct phases:

Initial Access and Credential Harvesting: The attacker extracted cloud credentials from environment files and the AWS credentials store on the compromised host.

AWS Secrets Manager Access: Using harvested AWS access keys, the attacker made API calls to retrieve an SSH private key stored in AWS Secrets Manager.

Lateral Movement: Within minutes, the threat actor authenticated to an SSH bastion server and launched eight parallel SSH sessions against a downstream target.

Database Exfiltration: The final phase extracted the schema and full contents of an internal PostgreSQL database in under two minutes.

Evidence of LLM Agent Involvement

Sysdig identified four technical signatures indicating an LLM agent—rather than a human operator—was driving the post-exploitation activity:

Schema Improvisation: The agent queried an unfamiliar database and landed on a credential table within minutes without prior reconnaissance. Human attackers typically require more time to understand database structures.

Language Leakage: A Chinese-language planning comment appeared directly in command output: "看还能做什么" (translating to "See what else we can do"). This suggests the agent's internal reasoning leaked into its actions.

Machine-Optimized Commands: Every command featured delimiters ("---"), bounded output captures, disabled pagers, and stderr suppression. These patterns optimize output for automated parsing rather than human readability.

Autonomous Chaining: The LLM agent fed previous command outputs into subsequent actions, listing SSH keys before attempting extraction—demonstrating contextual reasoning about the target environment.

Why LLM Agents Change the Game

The Sysdig researchers characterized the attack methodology: "An agent operator carries general priors about a class of applications and composes the chain live to best fit its target."

This represents a departure from traditional attack automation. Scripts and playbooks follow predetermined paths. LLM agents adapt their approach based on what they discover, making decisions that previously required human judgment.

The implications for defenders are significant:

1. Speed: The entire attack chain completed in under an hour, with database exfiltration taking less than two minutes
2. Adaptability: The agent navigated an unfamiliar environment without prior knowledge of the specific target architecture
3. Scalability: Automated agents can run parallel operations across multiple compromised systems simultaneously

This development follows broader trends in AI-assisted attack tooling that we've tracked throughout 2026.

Marimo Vulnerability Context

Marimo is a reactive Python notebook designed for data science and AI development workflows. The affected vulnerability allows unauthenticated remote code execution through WebSocket manipulation.

Organizations running Marimo notebooks should:

1. Patch immediately - Ensure all instances are updated to patched versions
2. Audit exposure - Identify any internet-facing Marimo deployments and restrict access
3. Review AWS permissions - Apply least-privilege principles to credentials accessible from notebook environments
4. Enable CloudTrail logging - Ensure visibility into AWS API activity for incident response

The attack demonstrates why development and data science tools require the same security rigor as production systems—they often have access to sensitive credentials and infrastructure.

Detection Opportunities

While LLM agents introduce new challenges, they also create detection opportunities. The machine-optimized command patterns—consistent delimiters, suppressed output, bounded captures—can serve as behavioral indicators.

Security teams should monitor for:

• Unusual AWS Secrets Manager access patterns following application compromise
• Rapid lateral movement across multiple systems within short timeframes
• Command execution patterns optimized for automated parsing
• Parallel SSH session establishment from single sources

The Bigger Picture

This incident validates concerns security researchers have raised about AI-assisted offensive operations. The question is no longer whether attackers will use LLM agents, but how defenders will adapt to autonomous adversaries.

Sysdig's documentation provides the first concrete case study for the security community to analyze. Expect more incidents of this nature as threat actors refine their agent-based tooling and AI capabilities become more accessible to a broader range of adversaries.