A recent cyberattack leveraging a large language model (LLM) agent has reshaped the landscape of intrusion detection. On May 10, 2026, cybercriminals executed a full post-exploitation chain, beginning with an exposed notebook server and culminating in an internal database breach in under two minutes.
Cyberattack Details and Entry Point
This innovative cyberattack was not pre-planned but dynamically crafted in real-time as attackers adapted to their target’s defenses. The initial breach point was a vulnerable marimo notebook server accessible via the internet. Exploiting CVE-2026-39987, this flaw permitted a single WebSocket request to gain shell access on any unpatched marimo server.
Subsequently, attackers obtained cloud credentials from environment files and AWS credentials stores. These credentials provided access to an SSH private key stored in AWS Secrets Manager. Utilizing this key, they initiated eight parallel SSH sessions on a downstream bastion server, which led to the complete exfiltration of an internal PostgreSQL database.
AI-Driven Intrusion and Its Implications
Sysdig’s Threat Research Team (TRT) documented this groundbreaking AI-driven intrusion, noting that it completed in less than an hour. According to Michael Clark, Senior Director at Sysdig, “This is not a case of AI replacing human attackers, but rather attackers replacing their scripts with AI.”
A distinguishing feature of this attack was its evasion of detection through distributed traffic routing. Twelve AWS API calls were dispersed across eleven Cloudflare Workers IP addresses within 22 seconds, thwarting traditional IP-based detection methods. During the bastion stage, eight SSH sessions originated from six different IPs, further complicating detection efforts.
Indicators of LLM Agent Activity
Sysdig identified four key indicators suggesting LLM agent involvement. The agent executed a database dump without prior schema knowledge, targeting a credential table absent from the application’s schema. Additionally, a Chinese-language command suggested exploratory intentions.
Commands were optimized for machine parsing with structured separators and discarded error streams, allowing the agent to efficiently process results. Moreover, the agent seamlessly transitioned between steps, utilizing the output of one action as the input for the next without human intervention.
Defensive Measures and Recommendations
This attack underscores the diminishing effectiveness of signature-based detection methods. While traditional attackers leave repeatable patterns, LLM agents modify their tactics for each target, necessitating a shift in detection strategies to focus on attacker objectives like credential access or database breaches.
Sysdig advises updating marimo to version 0.23.0 or later. If upgrading is unfeasible, restricting access to the /terminal/ws endpoint or disabling the terminal feature is recommended. Any publicly accessible marimo instance should be considered compromised, with all associated credentials rotated. The CVE-2026-39987 vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, emphasizing its critical nature.
Organizations are encouraged to implement comprehensive network telemetry and deploy runtime threat detection systems focused on behavior-based patterns. LLM-powered attackers no longer need extensive knowledge of an environment, relying instead on speed, adaptability, and distributed egress to conduct their operations.
