Attackers Used LLM Agent to Steal Database After Marimo Exploit

On May 10, 2026, cloud security firm Sysdig recorded unknown actors exploiting CVE-2026-39987 on an internet-reachable Marimo notebook. The attackers used a large language model (LLM) agent to collect AWS credentials and retrieve an SSH private key from AWS Secrets Manager, then used the key to authenticate to an SSH bastion and exfiltrate the schema and full contents of an internal PostgreSQL database.

CVE-2026-39987 is a pre-authenticated remote code execution flaw that affects Marimo versions up to and including 0.20.4. The issue was fixed in Marimo 0.23.0, released last month. Exposed Marimo instances have been targeted since the vulnerability’s disclosure for reconnaissance and credential harvesting.

Sysdig’s analysis shows the attacker extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to call AWS APIs, and retrieved an SSH private key from Secrets Manager. Minutes later the actor used the key for an initial SSH login to the bastion, then opened eight parallel short SSH sessions against a downstream server to pull the PostgreSQL database. The complete attack chain lasted just over an hour and the database transfer finished in under two minutes.

The firm identified four indicators it says point to an LLM agent driving the post-compromise activity. The attacker produced a usable database dump without prior knowledge of the schema, indicating on-the-fly adaptation. A Chinese-language planning comment, “看还能做什么” (translated as See what else we can do), appeared in the command stream during credential searches.

Command formatting favored machine parsing: entries were separated with a “—” delimiter, output was captured in bounded chunks, the pager command “less” was disabled, and error output was discarded. The sequence of actions included serial value handoffs where the output of one command was fed into the next, for example listing and then catting an SSH key file and reading a PostgreSQL password file.

The report advises updating Marimo to the latest release, removing any publicly accessible instances, rotating credentials, API keys and SSH keys that may have been exposed, and auditing access logs and Secrets Manager activity for unusual API calls and short-lived bastion authentications.

In its report, Sysdig wrote, “The attacker no longer needs to see your environment to operate inside it,” describing the agent’s ability to adapt its actions when it encounters unexpected files, schemas or authentication failures.