Cybersecurity researchers have uncovered a new attack technique in which threat actors are using large language model (LLM) agents to automate post-exploitation activities after breaching systems through a critical vulnerability in the Marimo platform.
The vulnerability, tracked as CVE-2026-39987, affects Marimo notebook software and allows unauthenticated remote code execution. Security experts say it has already been actively exploited in the wild.
Attack Chain Begins With Marimo Exploit
According to cloud security firm Sysdig, attackers first gained access to an internet-exposed Marimo instance using the vulnerability. From there, they extracted sensitive credentials stored on the compromised host, including cloud access keys.
The attackers then used these credentials to query AWS Secrets Manager and retrieve SSH private keys. Those keys were subsequently used to access internal infrastructure, including a bastion host, where further lateral movement occurred.
Within minutes, the attackers executed multiple SSH sessions and were able to exfiltrate the full contents of an internal PostgreSQL database in under two minutes.
AI Agent Used to Automate Post-Exploitation
What makes this incident notable is the suspected use of an LLM-powered agent during the post-compromise phase. Unlike traditional scripted attacks, researchers believe the AI agent dynamically planned and executed commands based on real-time system feedback.
Sysdig identified several indicators suggesting AI involvement:
- The attacker adapted commands without prior knowledge of database structure
- The execution flow included machine-readable formatting and structured command chaining
- Output from earlier commands was reused dynamically in later steps
- The system showed adaptive decision-making when encountering unexpected conditions
Researchers also noted the presence of non-English planning comments in the command stream, suggesting automated or semi-automated reasoning during the attack process.
Faster, More Adaptive Intrusions
Security analysts warn that this represents a shift from static attack scripts to adaptive AI-driven intrusion workflows. Traditional attackers typically rely on predefined playbooks, which can fail when encountering unexpected environments.
In contrast, LLM-powered agents can:
- Adjust tactics in real time
- Explore systems without predefined scripts
- Recover from errors and continue attacks autonomously
- Chain reconnaissance, credential theft, and data exfiltration more efficiently
Sysdig noted that the entire intrusion, from initial compromise to data theft, took just over an hour.
Broader Security Implications
The incident highlights growing concerns about the weaponization of AI in cybersecurity breaches. Researchers say that as AI tools become more capable, attackers may increasingly rely on them to scale operations and reduce the need for manual expertise.
Security experts emphasize that exposed services like Marimo notebooks are becoming high-value targets, especially when paired with cloud credentials and misconfigured access controls.
Recommended Mitigations
To reduce risk, researchers advise organizations to:
- Update Marimo to the latest patched version
- Audit and secure any publicly exposed notebook instances
- Rotate compromised or potentially exposed credentials
- Monitor for unusual API activity in cloud environments
- Restrict access to SSH keys and secrets management systems
Conclusion
The CVE-2026-39987 exploitation campaign underscores a significant evolution in cyberattacks: the integration of AI agents into real-world intrusion workflows. As attackers increasingly adopt LLM-driven automation, defenders may need to rethink how they detect and respond to highly adaptive, fast-moving threats.
