LLM agent autonomously drives post-exploitation from a marimo RCE to database theft

What happened

On May 10, 2026, Sysdig's Threat Research Team observed an intrusion where, after a conventional pre-auth RCE in a marimo notebook (CVE-2026-39987), an LLM agent autonomously ran the entire post-exploitation chain in real time. In four pivots in under an hour it replayed stolen cloud credentials, pulled an SSH key from AWS Secrets Manager, moved through an SSH bastion, and exfiltrated a full PostgreSQL database. Sysdig calls it the first agent-driven intrusion its team has captured; the broader "first in the wild" framing is press, not Sysdig's claim.

Root cause

Initial access was an unauthenticated WebSocket terminal in marimo (CVE-2026-39987). The novel part was the attacker delegating post-exploitation reasoning and command construction to an LLM agent, which improvised lateral movement faster than human-speed defenses and rotated egress through Cloudflare Workers to evade IP-based detection.

Fix / outcome

Patch marimo to 0.23.0 or later to close the entry-point CVE. Sysdig's other guidance is to detect agent-driven behavioral signatures such as sub-second multi-IP fan-out and improvised schema discovery. No threat actor was named.

Sources