CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

Hackers Use LLM Agent to Move From Marimo RCE to Internal Database in Four Pivots

Cybersecurity News Archived May 28, 2026 ✓ Full text saved

A new kind of cyberattack is changing how defenders must think about intrusion detection. On May 10, 2026, a threat actor used a large language model (LLM) agent to drive a full post-exploitation chain, starting from an exposed notebook server and ending with an internal database dumped in under two minutes. This was not a […] The post Hackers Use LLM Agent to Move From Marimo RCE to Internal Database in Four Pivots appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Use LLM Agent to Move From Marimo RCE to Internal Database in Four Pivots By Tushar Subhra Dutta May 28, 2026 A new kind of cyberattack is changing how defenders must think about intrusion detection. On May 10, 2026, a threat actor used a large language model (LLM) agent to drive a full post-exploitation chain, starting from an exposed notebook server and ending with an internal database dumped in under two minutes. This was not a pre-scripted attack. Commands were composed in real time, adapting at each step to whatever the target revealed. The entry point was a vulnerable marimo notebook exposed to the internet. The attacker exploited CVE-2026-39987, a flaw allowing a one-WebSocket-request shell on any unpatched marimo server. Cloud credentials were harvested from environment files and the AWS credentials store, then used to retrieve an SSH private key from AWS Secrets Manager. That key opened eight parallel SSH sessions against a downstream bastion server, from which an internal PostgreSQL database was fully exfiltrated. Researchers at Sysdig, who captured the intrusion through their Threat Research Team (TRT), described it as the first AI-agent-driven intrusion they have ever recorded. Attack chain (Source – Sysdig) Sysdig said in a report shared with Cyber Security News (CSN) that the full chain ran end-to-end in under one hour. Sr. Director Michael Clark put it plainly: “We are not watching AI replace attackers. We are watching attackers replace their scripts with AI.” What made this attack notable was how traffic was routed to avoid detection. Twelve AWS API calls were fanned across eleven distinct Cloudflare Workers IP addresses in just 22 seconds, defeating the per-source-IP correlation cloud defenders rely on. Eight SSH sessions came from six separate IPs simultaneously during the bastion phase. This distributed approach breaks traditional IP-based alerting entirely. Hackers Use LLM Agent The Sysdig TRT identified four signs that an LLM agent drove the attack. First, the agent improvised a database dump with no prior schema knowledge, enumerating tables and immediately targeting a credential table that does not exist in the application the schema resembled. It was reasoning from general knowledge, not pre-staged intelligence. Second, a Chinese-language planning comment translating to “See what else we can do” appeared directly in the command stream. That internal monologue, dispatched across six IPs at sub-second pace, is not something a human typist or static script would produce. Third, every command was built for machine parsing, using structured separators, bounded output caps, and discarded error streams so the agent could read each result cleanly. The fourth sign was how values flowed between steps. The database password came from the .pgpass file read moments earlier. The SSH key path followed a listing that confirmed the file existed. The AWS secret ID was selected from a ListSecrets response just 20 seconds before retrieval. The agent was feeding its own prior output into each next action, live and without human direction. Defender Implications and Recommended Response The most pressing implication is that signature-based detection is losing ground. A scripted attacker leaves repeatable fingerprints like the same command order or probe sequence each run. An LLM agent rewrites its approach for every target, making static rules less reliable. Detection must shift toward what the attacker is accomplishing, such as credential access or database exfiltration, rather than the specific commands used. Sysdig recommends updating marimo to version 0.23.0 or later immediately. If upgrading is not possible, access to the /terminal/ws endpoint should be restricted or the terminal feature disabled. Any publicly reachable marimo instance should be treated as potentially compromised, and all associated credentials, API keys, SSH keys, and database passwords should be rotated. CVE-2026-39987 is on CISA’s Known Exploited Vulnerabilities catalog, and its federal remediation deadline has passed. Organizations should enable deep telemetry across the full network and deploy runtime threat detection that flags behavior-based patterns. An LLM-powered attacker no longer needs to map your environment to operate inside it. Speed, adaptiveness, and distributed egress are now standard features of the threat. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 157.66.54.26 Origin IP for both marimo terminal sessions (AS141892, Indonesia) IP Range 104.28.0.0/16 Cloudflare Workers egress pool (AS13335) used for AWS API calls and SSH bastion sessions IP Address 104.28.162.160 Cloudflare Workers IP used in schema enumeration and HEREDOC PostgreSQL dump IP Address 104.28.165.251 Cloudflare Workers IP used in targeted credential table dump IP Address 104.28.165.169 Cloudflare Workers IP used in credential-file search block IP Address 104.28.157.50 Cloudflare Workers IP used in container and SSH-key enumeration CVE CVE-2026-39987 Critical marimo terminal WebSocket RCE vulnerability (entry point for the attack chain) Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading Discord Announces End-to-End Encryption by Default for Video and Voice Messages Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands CISA Warns of LiteSpeed cPanel Plugin Vulnerability Exploited in Attacks KnowledgeDeliver LMS Zero-Day Exploited to Deploy BLUEBEAM Web Shell Latest News Cyber Security News AI-Generated npm Malware Accidentally Exposes Threat Actor’s Private GitHub Token Cyber Security News Claude Opus 4.8 Released With Ability to Work as an Experienced Engineer Cyber Security New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely Cyber Security Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands Cyber Security News Hackers Deploy VIP Keylogger Through Phishing Emails Masquerading as Business Documents
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗