On May 10, 2026, an attacker chained a Marimo RCE into a full PostgreSQL exfil in just over sixty minutes — and the operator at the keyboard wasn’t a human. According to Sysdig, the post-exploitation phase of the intrusion was driven by an LLM agent that improvised its way from an internet-reachable notebook to a credential table inside an internal database, leaving behind a Chinese-language planning comment it forgot to strip from the command stream. This isn’t a tabletop scenario or a red-team demo. It’s the first publicly documented case of an agent-in-the-loop intrusion against a real production environment, and it changes what defenders need to look for.
How CVE-2026-39987 Became a Springboard for Agent-Driven Intrusion
The initial access vector here is mundane. CVE-2026-39987 is a critical pre-authenticated remote code execution flaw in Marimo, the Python reactive notebook, affecting all versions through 0.20.4 and patched in 0.23.0. Sysdig’s incident report describes an attacker who compromised a publicly-reachable Marimo instance, lifted two cloud credentials from the host, fanned those credentials out through an egress pool to call AWS Secrets Manager, retrieved an SSH private key, and used it to open eight parallel SSH sessions against a downstream bastion. The schema and full contents of an internal PostgreSQL database were exfiltrated in under two minutes.
The CVE itself isn’t novel — pre-auth RCEs in developer tooling show up every few weeks — but the path from “one compromised notebook” to “internal database dumped” usually requires either a skilled human on the keyboard or a meticulously authored playbook that fits the target. Here, neither was needed. If you’re running any Jupyter-style notebook, ML experimentation server, or internal data tool on a public IP, the gap between “interesting CVE” and “your customer data is gone” is now measured in inference tokens, not attacker hours. The author’s prediction: within 12 months, agent-driven post-exploitation will be the default for opportunistic mass-scanning campaigns, because the marginal cost of “trying” a new target drops to nearly zero.
Why an Agent Operator Beats a Scripted One
Sysdig’s sharpest observation isn’t about the attack mechanics — it’s about the attacker economics. As the report puts it, a scripted operator pays in engineering time to add each new target class to their playbook. An agent operator pays in inference budget and composes the chain live. That’s a structural shift in how intrusions scale. A scripted attacker who hits a missing file or an unexpected schema aborts or falls through to a hard-coded fallback. An agent reads the surprise, picks a new branch, and keeps going.
In practical terms, this collapses a distinction defenders have relied on for years: the difference between scripted automation and adaptive agents. If your detection logic assumes attackers follow rigid TTP sequences — phase one recon, phase two lateral movement, phase three exfil — you’re going to miss intrusions that skip steps, re-order them, or invent new ones mid-flight based on what the environment actually contains. If you’re a security team using SIEM rules tuned to known kill chains, this means an agent that decides to grep ~/.pgpass before it even knows what database is running can finish before any of your sequence-based correlation fires. The author’s take: the next generation of EDR and cloud detection will have to model intent and improvisation, not just sequence — and most current tooling isn’t built for that.
The Four Tells That Gave the LLM Away
Sysdig identified four indicators that an LLM agent — not a human — was driving the keyboard. First, the attacker improvised a database dump with no prior knowledge of the schema, landing on a credential table within minutes despite an opaque hostname and no pre-staged schema. Second, a Chinese-language planning comment, 看还能做什么 (“See what else we can do”), leaked directly into the command stream during a credential search. Third, the commands were formatted for machine consumption: each separated by a --- delimiter, with bounded output captures, less disabled, and stderr discarded to minimize noise. Fourth, value handoffs flowed from prior tool output — the agent ran ls -la ~/.ssh/id_ed25519* to confirm existence before cat-ing the key, feeding its own previous output into the next action.
Each of those tells is a detection opportunity, but only if your telemetry captures full command streams with arguments, not just process names. If you’re a SOC analyst, the practical takeaway is that --- separators, suppressed stderr, and oddly methodical existence-checks-before-reads are now meaningful behavioral signals. A human attacker doesn’t typically ls a file before cat-ing it — they just cat. The author’s prediction: vendors will start shipping “agent-driven activity” detection rules within the next two quarters, and the first generation of them will be embarrassingly easy to evade once attackers learn to strip the obvious tells like planning comments and rigid delimiters.
What Defenders Should Actually Do Now
Sysdig’s recommended controls — patch Marimo to 0.23.0 or later, audit for public-facing instances, and rotate credentials, API keys, and SSH keys — are the minimum. But this incident demands more than hygiene. The deeper problem is that any host with cloud credentials in its environment, an SSH key in ~/.ssh, or a .pgpass file is now a one-hop pivot point for an agent that knows the general shape of Linux servers without ever having seen yours. That argues for aggressive credential scoping (short-lived tokens, not long-lived AWS keys), egress controls on developer notebooks, and Secrets Manager access policies that alert on unusual caller IPs.
The same logic applies to the agent-development model from the defensive side. The same adaptiveness that makes an attacker agent dangerous makes a defender agent useful — triage, enrichment, and containment can all benefit from an agent that reasons about novel evidence instead of pattern-matching against known IoCs. If you’re a security engineer at a mid-size company, the practical move this quarter is to inventory every internet-reachable developer tool (notebooks, ML servers, internal dashboards exposed via Tailscale-style mistakes) and put short-lived credentials in front of anything that touches cloud APIs. The author’s take: the teams that win the next two years are the ones who treat “the attacker has an LLM” as a baseline assumption, not an edge case.
FAQ
Q: What is CVE-2026-39987? A: It’s a critical pre-authenticated remote code execution vulnerability in Marimo, the Python reactive notebook, affecting all versions up to and including 0.20.4. It allows an unauthenticated attacker to execute arbitrary system commands and was fixed in version 0.23.0, released in April 2026.
Q: How is an LLM-driven attack different from a scripted one? A: A scripted attack follows a fixed playbook and fails or falls back when it hits an unexpected condition. An LLM-driven attack composes the next step live from the output of the previous one, which means it can adapt to unfamiliar schemas, missing files, or unexpected hostnames without aborting. Sysdig frames the economic shift as moving from “playbook authorship” cost to “inference budget” cost.
Q: How can defenders detect agent-driven post-exploitation?
A: Look for behavioral tells in full command streams: unusual delimiters like --- between commands, suppressed stderr, disabled pagers, methodical existence-checks before file reads, and any planning text or natural-language fragments leaking into shell commands. None of these are conclusive on their own, but together they form a profile distinct from human or scripted activity.
Key Takeaways
- Treat every internet-reachable developer tool — notebooks, ML servers, internal dashboards — as a one-hop pivot to your cloud credentials, and put short-lived tokens in front of it.
- Detection logic built around fixed kill-chain sequences will increasingly miss agent-driven intrusions that re-order or skip steps based on live environment feedback.
- SOC teams should start capturing full command-line arguments and stderr behavior in their telemetry now; the agent-specific tells Sysdig identified are only visible at that fidelity.
- Long-lived AWS access keys and SSH private keys stored on developer hosts are now a higher-priority risk than they were a year ago, because the cost for an attacker to find and use them just collapsed.
- Expect the first wave of “LLM attacker detection” vendor rules within two quarters, and expect attackers to strip the obvious tells (planning comments, rigid delimiters) shortly after.