LLM‑Driven Post‑Exploitation Chains Seen After Marimo RCE Abuse

On May 10, 2026 Sysdig reported a novel attack pattern: an LLM agent was used to steer post‑compromise actions after an adversary gained initial access through the publicly reachable Marimo notebook service. The attacker leveraged CVE‑2026‑39987, a pre‑authenticated remote code execution bug that affects all Marimo releases up to 0.20.4, to run arbitrary commands on the host.

How the chain unfolded

1. Initial breach – The attacker sent a crafted HTTP request that triggered the RCE bug and opened a shell on the notebook instance.
2. Credential harvesting – Using the shell, the LLM‑backed script queried the environment for AWS access keys, then called the AWS Secrets Manager API to pull an SSH private key.
3. Lateral movement – The retrieved key was used to open an SSH session to a bastion host. Eight parallel sessions were spawned against a downstream server.
4. Data exfiltration – Within two minutes the attacker dumped the schema and full contents of an internal PostgreSQL database.

The entire operation lasted a little over an hour, but the speed and adaptability of the LLM agent set it apart from traditional scripted attacks.

What tipped off the researchers

Sysdig identified four behavioral indicators that suggested an AI‑driven operator:

• Dynamic schema discovery – The attacker dumped the database without prior knowledge of its structure, a task that typically requires manual analysis.
• Language artifact – A Chinese comment 看还能做什么 ("See what else we can do") appeared directly in the command stream, a hallmark of a model trained on multilingual data.
• Machine‑oriented command format – Every instruction was separated by a --- delimiter, output was captured in bounded files, and noisy commands such as less were deliberately disabled.
• Self‑feeding values – Output from one command (e.g., cat ~/.pgpass) was piped as input to the next step, demonstrating a feedback loop that a static playbook would not have.

"When a scripted operator builds a per‑target playbook the effort to add a new target is engineering time. An agent operator carries general priors about a class of applications and composes the chain live to best fit its target," said John McAllister, senior threat analyst at Sysdig.

Why this matters

The incident shows that attackers can now combine a classic vulnerability with generative AI to create adaptive, low‑noise intrusion campaigns. Traditional detection methods that look for static command sequences or known tool signatures may miss such fluid behavior.

Defensive recommendations

1. Patch Marimo immediately – Upgrade to version 0.23.0 or later, which disables the vulnerable code path.
2. Reduce internet exposure – Audit cloud environments for any publicly reachable notebooks, Jupyter‑style services, or other interactive compute instances. Use security groups or firewall rules to restrict access to trusted IP ranges.
3. Rotate secrets frequently – Rotate AWS access keys, SSH keys, and database passwords on a regular schedule. Store secrets in a dedicated vault with strict IAM policies.
4. Enable command‑level logging – Capture full command lines, timestamps, and user contexts in a centralized log store. Look for patterns such as repeated --- delimiters or systematic suppression of stderr.
5. Deploy LLM‑aware detection – Use behavioral analytics that flag unusually rapid decision loops, language artifacts, or output‑to‑input chaining. Solutions that model normal operator workflows can surface anomalies.
6. Implement zero‑trust network segmentation – Isolate bastion hosts from internal databases and require multi‑factor authentication for any privileged jump.

Looking ahead

The convergence of exploit kits and generative AI is likely to accelerate. As models become more capable of reasoning about system state, defenders will need to shift from signature‑based alerts to context‑rich telemetry and adaptive response playbooks.

"An AI‑in‑the‑loop attacker reads the surprise, decides what to try next, and keeps going. Defenders must build a comparable loop that can intervene in real time," warned Dr. Priya Natarajan, principal researcher at the Cloud Security Alliance.

By hardening the initial attack surface, rotating credentials, and enhancing visibility into command execution, organizations can raise the cost of an LLM‑augmented intrusion and buy time to detect and respond.

---

For more details on the Marimo vulnerability, see the official advisory on the Marimo GitHub releases page.