First Confirmed In-the-Wild LLM-Agent Post-Exploitation: CVE-2026-39987 Marimo RCE to Full Database Exfiltration in 4 Pivots

Sysdig's Threat Research Team documented the first confirmed in-the-wild intrusion in which a large language model agent autonomously executed the full post-exploitation chain without human direction. On May 10, an attacker exploited CVE-2026-39987 — a pre-authenticated RCE in Marimo (Python reactive notebook, versions ≤0.20.4) via its unauthenticated WebSocket terminal endpoint — to gain initial access. An LLM agent then harvested two cloud credential sets from environment files, replayed them across 11 distinct Cloudflare Workers egress IPs (defeating per-IP detection) to retrieve an SSH private key from AWS Secrets Manager, opened eight parallel SSH sessions against a downstream bastion host, and exfiltrated the full contents of six PostgreSQL database tables in 113 seconds. The end-to-end chain completed in approximately one hour. Forensic markers distinguishing agent-driven from scripted execution include: improvised schema enumeration against an unknown database, natural-language planning comments in the command stream ('看还能做什么' — 'see what else we can do'), machine-optimised command formatting, and real-time adaptive chaining of tool outputs.

Unauthenticated WebSocket connection to an internet-exposed Marimo /terminal/ws endpoint provides interactive shell. LLM agent then reads environment files for credentials, fans API calls across Cloudflare Workers egress nodes to defeat IP-based detection, retrieves cloud secrets, and performs lateral movement via SSH — all without a pre-staged playbook. The agent adapts at each step based on command output rather than following a fixed script.

Marimo Python reactive notebook server versions 0.20.4 and earlier (patched in Marimo 0.23.0). High-risk environments: internet-facing ML/data-science notebooks with cloud credentials in environment files or mounted secrets. Also affects any organisation using AWS Secrets Manager as a credential store adjacent to notebook environments.

1) Upgrade to Marimo 0.23.0 immediately. 2) Remove internet exposure of notebook terminals; place behind VPN or bastion. 3) Audit cloud credential scope attached to notebook environments — remove high-privilege roles not required for notebook tasks. 4) Enable AWS CloudTrail alerting on anomalous secretsmanager:GetSecretValue patterns (multiple calls from rotating egress IPs in <30 seconds). 5) Review detection capabilities: per-IP alerting is insufficient against distributed egress; switch to behavioural baselines on API call rates and SSH session concurrency.