top of page
perceptive_background_267k.jpg

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

Published:

29 May 2026 at 14:39:56

Alert date:

29 May 2026 at 17:11:07

Source:

thehackernews.com

Click to open the original link from this advisory

Zero-Day Vulnerabilities, Data Breach & Exfiltration, Cloud & Virtualization, Emerging Technologies

Unknown threat actors exploited CVE-2026-39987 vulnerability in publicly-accessible Marimo networks to gain initial access. After successful compromise, attackers deployed a large language model (LLM) agent for post-exploitation activities. The attack involved compromising internet-reachable Marimo notebooks and extracting cloud credentials from the compromised environment. This represents a novel attack technique combining traditional vulnerability exploitation with AI-powered post-compromise operations.

Technical details

Attackers exploited CVE-2026-39987, a critical pre-authenticated remote code execution vulnerability in Marimo notebooks, to gain initial access. Post-exploitation involved using an LLM agent to extract cloud credentials, retrieve SSH private keys from AWS Secrets Manager, and perform database exfiltration. The attack chain included: 1) Exploitation of internet-accessible Marimo notebook, 2) Credential extraction from compromised host, 3) AWS API calls through egress pool to retrieve SSH private key, 4) Eight parallel SSH sessions against bastion server, 5) Complete PostgreSQL database schema and content exfiltration in under 2 minutes. Total attack duration was approximately one hour. LLM agent indicators included: improvised database dump without schema knowledge, Chinese-language planning comments in command stream, machine-optimized commands with delimiters, and value handoffs from previous tool outputs.

Mitigation steps:

Update to the latest version of Marimo (version 0.23.0 or later)
Audit environments for any publicly-accessible Marimo instances
Rotate credentials, API keys, and SSH keys
Monitor for unusual database access patterns
Implement network segmentation around critical databases
Monitor AWS Secrets Manager access logs for suspicious activity

Affected products:

Marimo (all versions prior to and including 0.20.4)
AWS Secrets Manager
PostgreSQL databases

Related links:

https://www.sysdig.com/blog/ai-agent-at-the-wheel-how-an-attacker-used-llms-to-move-from-a-cve-to-an-internal-database-in-4-pivots
https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html

Related CVE's:

Related threat actors:

IOC's:

Chinese-language planning comment: '看还能做什么' (See what else we can do), Command delimiter pattern: '---', Cat command pattern: 'cat ~/.ssh/id_ed25519', List command pattern: 'ls -la ~/.ssh/id_ed25519*', Cat command pattern: 'cat ~/.pgpass', Bounded output captures with disabled 'less' command, Error stream redirection to minimize noise

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page