An unknown malicious actor has been observed using agent language modeling (LLM) to perform post-compromise actions after gaining initial access following exploitation of the publicly accessible Marimo network using a later disclosed vulnerability.
“An attacker compromised Marimo’s web-accessible directory using CVE-2026-39987, issued two cloud credentials to a vulnerable host, replicated himself by using a compromised egress pool to extract an SSH secret key from AWS Secrets Manager, and used that key to drive eight short SSH sessions to the local SSH server.
“The bastion class extracted the schema and full content of an internal PostgreSQL database in less than two minutes.”
CVE-2026-39987 refers to a critical remote code execution vulnerability that affects all versions of Marimo prior to and including 0.20.4. It allows an unauthorized attacker to issue arbitrary system commands. The issue was addressed in version 0.23.0, released last month.
The security feature has since been subject to intense exploitation, with threat actors using it to launch artificial intelligence to honeypot systems and attempt to harvest sensitive data.
The latest work by Sysdig adheres to the same pattern, the main difference being that the LLM agent was used to drive the post-exploitation work. The incident, according to the cloud security company, was recorded on May 10, 2026, the attacker collected credentials from the environment and then used the harvested AWS access key to make API calls against the AWS secret manager and retrieve the private SSH key.
A few minutes later, the threat actor allegedly performed an initial SSH authentication on the SSH bastion server using the obtained key, followed by launching eight identical SSH sessions against the downstream server to extract internal PostgreSQL data. The series of terminal attacks lasted a little over an hour.
Sysdig said it has identified four indications that an LLM agent is holding the job. First, an attacker developed a database dump without prior knowledge of the schema. Second, the Chinese-language editing comment, “看看生生生” which translates to “See what else we can do” was leaked directly from the command stream when the validation search was performed.
“The hostname of the database was ambiguous, we had no application identifier on disk and no schema dump was in place, yet the thread was sitting in the validation table within minutes,” Sysdig said. “An attacker no longer needs to see your environment to operate within it.”
The third feature is that every command is designed for machine use, with each command separated by the delimiter “—“, and capturing the bound output, disabling the “sub” command, and discarding the error stream (stderr) to reduce noise.
Finally, value handoffs are available from the previous instrument release. In other words, the way certain values, i.e., database passwords, are extracted suggests that the AI agent will feed its own previous output — using the cat command of the “~/.pgpass” file — into the next action.
In one instance, a cat command to print the contents of a specific file (“cat ~/.ssh/id_ed25519”) is preceded by an ls command (“list”) that passes the same file pattern as input (“ls -la ~/.ssh/id_ed25519*”) to verify that the SSH Key exists.
“When a scripted operator builds a target-by-target playbook and reuses it, the bar for adding new targets is engineering time,” Sysdig concludes. “However, the operator of the agent manages the general important about the category of applications and combines the series live to better suit its target. Here, the bar becomes a budget of consideration, not ownership of playbooks.”
“A defender-related property of the agent in the loop is flexibility. A scripted attacker hits a missing file, unexpected schema, or authentication failure and aborts or falls into a hard-coded fallback. The agent reads the exception, decides what to try next, and continues.”
To combat this threat, it is recommended that users update to the latest version of Marimo, checkpoint any publicly accessible instances, and rotate credentials, API keys, and SSH keys.
