A newly observed intrusion demonstrates how attackers are replacing static playbooks with AI-driven agents that adapt in real time.
The attack began on May 10, 2026, როდესაც threat actors exploited CVE-2026-39987, a remote code execution flaw in the marimo notebook environment.
Once inside, the attacker harvested cloud credentials from environment files and system paths. Unlike traditional scripted attacks, the post-compromise activity was dynamically generated by an LLM agent, which analyzed outputs and decided next steps on the fly.
Within minutes, the stolen credentials were replayed against AWS APIs. The attacker retrieved an SSH private key from AWS Secrets Manager and used it to authenticate against a downstream SSH bastion host. This pivot enabled access to internal infrastructure, culminating in the rapid exfiltration of a PostgreSQL database.
Notably, the database schema and full contents were dumped in less than two minutes, demonstrating both speed and precision.
A key evasion technique involved using Cloudflare Workers as a distributed egress layer. Instead of issuing API requests from a single source, the attacker fanned out 12 AWS API calls across 11 distinct IP addresses within 22 seconds.
The Sysdig Threat Research Team (TRT) reports that a large language model (LLM) agent executed a full attack chain from initial access to database exfiltration in under one hour, marking one of the first confirmed cases of agent-led post-exploitation in the wild.
This approach breaks traditional source-IP correlation, making detection significantly harder for defenders relying on rate-limiting or IP-based anomaly detection.
The same pattern was observed during SSH activity, where multiple short-lived sessions were executed in parallel from different IPs, all using the same stolen key. This distributed execution model mimics benign cloud behavior while masking coordinated malicious activity.
Hackers Pivot from marimo RCE
Sysdig researchers identified four clear indicators that the attack was orchestrated by an AI agent rather than a pre-written script.
| Time | Event |
|---|---|
| 2026-05-10, 18:23:44 | First WebSocket connection from 157.66.54.26 to /terminal/ws on a vulnerable marimo instance |
| 2026-05-10, 18:23:45 | First interactive command (id) on the compromised host |
| 2026-05-10, 18:24:14 | Attacker begins credential harvest against /app/.env*, /etc/environment, /proc//environ, ~/.aws/credentials |
| 2026-05-10, 19:26:31 | First AWS API call (sts:GetCallerIdentity) using the first harvested access key, 48 minutes after the marimo session ended |
| 2026-05-10, 19:26:52 | First secretsmanager:GetSecretValue call against an SSH-key secret |
| 2026-05-10, 19:30:30 | First SSH authentication on SSH bastion server using the retrieved key |
| 2026-05-10, 19:30:30 to 19:32:23 | Eight bastion SSH sessions executed in parallel from six distinct Cloudflare Workers IPs, dumping host configuration and the internal PostgreSQL database |
First, the database targeting was improvised. The attacker queried and dumped tables based on generic assumptions about application schemas, including a “credential” table that was not confirmed to exist beforehand. This suggests reasoning rather than preprogrammed knowledge.
Second, a planning comment briefly appeared in the command stream, written in Chinese and translating to “see what else we can do.” This internal monologue, combined with simultaneous execution across multiple IPs, points to automated orchestration rather than human interaction.
Third, commands were structured for machine consumption. Output delimiters, truncated results, and suppressed errors indicate that another system likely the LLM was parsing results and feeding them into subsequent actions.
Finally, the attack chain reused its own outputs. For example, credentials extracted from a .pgpass file were immediately used in database queries, and AWS secret identifiers were selected dynamically from prior API responses.
The intrusion unfolded rapidly. Initial access occurred via a WebSocket connection to the marimo terminal. Credential harvesting followed within seconds.
After a short gap, likely used to transfer data into the agent system, AWS API calls began. Within minutes, the attacker retrieved secrets, accessed the bastion host, and completed database exfiltration.
This incident signals a shift in attacker economics and capability. Instead of investing time in building tailored scripts, adversaries can now deploy AI agents that adapt to each target environment in real time. This reduces the cost of complex attacks while increasing their success rate.
Traditional detection methods based on known command sequences or indicators of compromise may become less effective, as agent-driven attacks generate unique behaviors for each intrusion.
Defenders will need to focus more on intent-based detection, such as monitoring for credential access, unusual data flows, and privilege escalation patterns.
As Sysdig’s Michael Clark noted, attackers are not being replaced by AI they are upgrading their tooling. The result is faster, more flexible, and harder-to-detect intrusions that challenge existing security models.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
