A recently discovered cyberattack highlights how threat actors are increasingly leveraging artificial intelligence to accelerate post-compromise operations. Security researchers have uncovered an incident in which an attacker used a large language model (LLM)-driven agent to automate reconnaissance, credential harvesting, and data theft after exploiting a critical vulnerability in Marimo.
Critical Marimo Vulnerability Used as Entry Point
According to researchers at Sysdig, the attack began with the exploitation of CVE-2026-39987, a critical remote code execution (RCE) vulnerability affecting publicly exposed Marimo notebook instances.
The flaw impacts all Marimo versions up to and including 0.20.4 and allows unauthenticated attackers to execute arbitrary system commands without requiring valid credentials. The vulnerability was patched in version 0.23.0, released in April 2026.
Researchers noted that attackers targeted an internet-accessible Marimo environment, gaining initial access before moving deeper into the victim’s cloud infrastructure.
From Initial Access to Cloud Credential Theft
After compromising the Marimo instance, the attacker extracted two cloud credentials stored on the affected system. Those credentials were then used to authenticate against AWS services through multiple outbound connections designed to obscure activity.
Using the stolen AWS access keys, the attacker successfully queried AWS Secrets Manager and retrieved a stored SSH private key.
With the private key in hand, the attacker established access to an internal SSH bastion host, creating a pathway into the organization’s private network.
Database Exfiltration Completed in Minutes
Researchers observed the attacker launching eight parallel SSH sessions against downstream infrastructure shortly after obtaining the SSH key.
Within less than two minutes, the attacker identified, accessed, and exfiltrated the complete contents and schema of an internal PostgreSQL database.
The entire intrusion chain—from the initial exploitation of the vulnerable Marimo server to the theft of database records—was completed in just over one hour.
Evidence Suggests AI Agent Was Driving the Attack
While the attack followed familiar post-exploitation techniques, Sysdig researchers identified several indicators suggesting an LLM-based agent was actively orchestrating the operation.
1. Adaptive Database Discovery
The attacker successfully located and extracted valuable database information despite having no apparent prior knowledge of the environment, application structure, or database schema.
Researchers believe this level of adaptive decision-making indicates an AI-driven workflow capable of dynamically exploring unfamiliar systems.
2. Accidental Chinese-Language Prompt Leakage
One particularly revealing clue appeared during a credential-search operation when a Chinese-language planning comment surfaced in the command stream:
看还能做什么
The phrase translates to:
“See what else we can do.”
Researchers believe this may represent an internal instruction generated or passed through an AI-assisted workflow.
3. Commands Optimized for Machine Processing
The observed commands appeared structured for automated consumption rather than human interaction.
Indicators included:
- Commands separated using “—” delimiters
- Suppression of unnecessary output
- Error streams redirected to reduce noise
- Interactive paging disabled to avoid interruptions
Such behavior is consistent with autonomous systems that process command output programmatically.
4. Sequential Tool Output Reuse
The attacker repeatedly used information gathered from previous commands as direct input for subsequent actions.
For example, database credentials retrieved from the .pgpass file were immediately leveraged in follow-on operations. Similarly, file existence checks were performed before attempting to access SSH keys.
This pattern suggests an AI agent continuously analyzing prior results and determining logical next steps without requiring manual operator intervention.
Why This Matters
According to Sysdig, the significance of AI-assisted attacks lies in their adaptability.
Traditional scripted attacks rely on predefined playbooks and often fail when they encounter unexpected conditions such as missing files, unusual configurations, or authentication errors.
An AI-powered agent, however, can evaluate new information in real time, adjust its strategy, and continue pursuing objectives even when the environment differs from expectations.
Researchers warn that this evolution could significantly lower the barrier to conducting sophisticated intrusions, shifting the challenge from creating custom attack playbooks to simply providing sufficient computing resources for AI-driven operations.
Recommended Mitigation Steps
Organizations using Marimo should take immediate action to reduce exposure:
- Upgrade all Marimo deployments to version 0.23.0 or later.
- Identify and secure publicly accessible Marimo instances.
- Rotate cloud credentials, API keys, and SSH keys that may have been exposed.
- Review AWS Secrets Manager access logs for suspicious activity.
- Monitor SSH bastion hosts for unusual authentication attempts.
- Audit PostgreSQL databases for unauthorized access and data exfiltration indicators.
Final Thoughts
This incident demonstrates how artificial intelligence is beginning to reshape offensive cyber operations. While attackers still require an initial foothold, AI-driven agents can dramatically accelerate post-exploitation activities by autonomously discovering assets, gathering credentials, and adapting to unfamiliar environments.
As AI capabilities continue to evolve, defenders will need to focus not only on preventing intrusions but also on detecting increasingly intelligent behavior occurring after a compromise has already taken place.
