Marimo CVE-2026-39987 LLM-agent post-exploitation

Summary

Sysdig Threat Research reports a May 10, 2026 intrusion where an unknown actor exploited an internet-reachable marimo notebook through CVE-2026-39987 and then used an LLM-agent-driven post-exploitation loop to move from the notebook host to AWS Secrets Manager, an SSH bastion, and an internal PostgreSQL database.

The durable signal is not only the marimo RCE. Sysdig captured command-stream features consistent with a real-time AI agent composing the intrusion rather than a static playbook: machine-readable output delimiters, bounded command output, a leaked Chinese planning comment, value handoffs from prior command output, and improvised database-table selection against an opaque internal host.

Tags

• ops
• operations
• exploitation
• marimo
• CVE-2026-39987
• LLM
• AI agents
• post-exploitation
• cloud credential theft
• AWS Secrets Manager
• Cloudflare Workers
• PostgreSQL
• SSH bastion

Why this matters

• AI / notebook / workflow platforms increasingly hold cloud credentials, SSH keys, database credentials, model-provider tokens, and automation secrets in one reachable runtime.
• The post-exploitation phase shows how agentic tooling can reduce attacker engineering cost: instead of a target-specific script, the operator can let an agent parse output and compose the next command sequence live.
• Per-request egress through Cloudflare Workers weakens simple source-IP correlation. Sysdig observed 12 AWS API calls spread across 11 IPs in 22 seconds before the SSH pivot.
• The database dump was adaptive: the actor enumerated schema, then immediately targeted credential- and AI-workflow-shaped tables (api_key, credential, user, variable, flow, message) despite no clear on-host application identity.

Reported chain

1. The attacker connected to /terminal/ws on a vulnerable marimo instance and executed initial host reconnaissance.
2. The actor harvested credentials from environment and credential locations such as .env files, /etc/environment, process environments, and AWS credential files.
3. Harvested AWS keys were replayed through Cloudflare Workers egress to call sts:GetCallerIdentity, list secrets, and retrieve an SSH private key from AWS Secrets Manager.
4. The retrieved key was used for eight short, parallel SSH sessions against a downstream bastion from multiple Worker IPs.
5. The bastion phase harvested host context, read .pgpass, and dumped PostgreSQL schema and tables in under two minutes.

Agent-driven execution indicators

• Improvised target reasoning: generic AI-workflow database priors were applied after schema enumeration instead of relying on a pre-built per-application dump script.
• Planning leakage: a Chinese-language comment, 看还能做什么 ("see what else we can do"), appeared directly in the command stream.
• Machine-consumption command shape: repeated echo '---' delimiters, 2>/dev/null, 2>&1 | head -N, pager suppression, and HEREDOC bundling made command results easier for a tool loop to parse.
• Output-to-input handoffs: values found in prior outputs, including .pgpass, home-directory names, SSH-key paths, and AWS SecretIds, were fed into later actions.

Defender heuristics

• Patch marimo to a fixed release and remove unauthenticated internet exposure for notebook terminals and AI-workflow runtimes.
• Treat exploitation of AI/notebook runtimes as a secret-spill incident: rotate cloud keys, SSH keys, database credentials, model-provider tokens, and workflow secrets reachable from the host.
• Hunt for WebSocket access to marimo terminal paths followed by environment-file reads, AWS credential discovery, Secrets Manager calls, and SSH authentication from Cloudflare Workers or other distributed egress providers.
• Add detections for command transcripts shaped for agent consumption: repeated delimiter echoes, aggressive stderr suppression, output caps, pager disabling, and one-shot HEREDOC query bundles across short-lived sessions.
• Correlate cloud API calls by credential, user agent, and secret target, not only by source IP, when requests fan out through serverless edge infrastructure.
• Review database logs for rapid schema enumeration followed by credential/API-key/user-table dumps, especially when the caller recently retrieved credentials from bastion dotfiles.

Related pages

• AI-augmented adversary operations
• Langflow CVE-2025-34291 exploitation
• KnowledgeDeliver CVE-2026-5426 ViewState exploitation

Sources

• Sysdig Threat Research: https://www.sysdig.com/blog/ai-agent-at-the-wheel-how-an-attacker-used-llms-to-move-from-a-cve-to-an-internal-database-in-4-pivots
• The Hacker News: https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html
• marimo advisory GHSA-2679-6mx9-h9xc / CVE-2026-39987: https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc