A cyber incident has been reported where an unknown threat actor employed a large language model (LLM) agent to execute post-exploitation actions after gaining access through a vulnerability in Marimo software.
Details of the Exploit
The attacker exploited a publicly-accessible Marimo notebook via CVE-2026-39987, a critical pre-authenticated remote code execution vulnerability affecting all versions of Marimo up to and including 0.20.4. This vulnerability allows unauthenticated attackers to execute arbitrary system commands. The issue was addressed in version 0.23.0, released last month.
Attack Sequence
According to Sysdig, the attacker compromised the Marimo notebook, extracted two cloud credentials, and used them to retrieve an SSH private key from AWS Secrets Manager. This key facilitated eight short SSH sessions against a downstream SSH bastion server, leading to the exfiltration of an internal PostgreSQL database in under two minutes.
Indicators of LLM Usage
Sysdig identified four indicators suggesting that an LLM agent was involved in the attack. Firstly, the attacker executed a database dump without prior knowledge of the schema. Secondly, a comment in Chinese, translating to “See what else we can do,” appeared in the command stream during a credential search. Thirdly, commands were structured for machine consumption, with specific delimiters and output management to reduce noise. Lastly, the agent appeared to feed its own previous outputs into subsequent commands, indicating a level of adaptability in its operations.
Recommendations for Mitigation
In light of this incident, it is advised that users update to the latest version of Marimo, audit their environments for publicly-accessible instances, and rotate credentials, API keys, and SSH keys to mitigate potential risks.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
