An unknown threat actor used an LLM agent after exploiting a publicly reachable Marimo notebook through CVE-2026-39987 to steal cloud credentials, fetch an SSH key and pull an internal PostgreSQL database in an attack that Sysdig said lasted a little over an hour in May 2026.
KEY FACTS
- Initial access The attacker compromised an internet-reachable Marimo notebook.
- Credential theft Two cloud credentials were taken from the host and used to query AWS Secrets Manager.
- Database access The stolen SSH key was used in eight parallel SSH sessions against a bastion server.
- Impact The internal PostgreSQL schema and full contents were exfiltrated in under two minutes.
The report says the incident was recorded on May 10, 2026, after the attacker used the Marimo flaw to gain access and then pivoted through cloud services to an SSH bastion. The chain moved from the compromised notebook to AWS Secrets Manager, where an SSH private key was retrieved, and then to the downstream database server.
Sysdig said it found four signs that an LLM agent was driving the activity. Those included a Chinese planning note that translated to “See what else we can do”, command output shaped for machine consumption and evidence that the attacker fed prior tool output into later steps.
The analysis also said the attacker did not appear to know the database schema in advance, yet still found a credential table within minutes. In one example, an ls command was used to confirm an SSH key file existed before a cat command printed its contents.
Marimo versions prior to and including 0.20.4 were affected by the critical pre-authenticated remote code execution flaw, which allowed arbitrary system commands before it was fixed in version 0.23.0. The report also said the bug has been actively exploited against exposed systems.
WHY IT MATTERS
The case shows how a single exposed application can lead to fast credential theft and database access when defenders leave secrets, SSH keys or internet-facing services unprotected. It also suggests AI-assisted operators may adapt to unexpected conditions faster than scripted attacks.