Sysdig TRT observed an agentic threat actor exploiting CVE-2026-39987 in a marimo notebook to automate container escape, host breakout, and Kubernetes secret theft without human interaction. The operation used a mounted Docker socket, nsenter, and Kubernetes service-account replay to dump host credentials and the cluster Secret store. #CVE-2026-39987 #marimo #SysdigTRT #nsenter #DockerSocket #Kubernetes
Keypoints
- The Sysdig Threat Research Team observed exploitation of marimo notebook vulnerability CVE-2026-39987 on May 29, 2026.
- The attacker was identified as an agentic threat actor (ATA) driven by an LLM harness rather than a human operator.
- The ATA first enumerated the container environment, including Docker socket exposure, seccomp posture, capabilities, core_pattern, AF_ALG, and Kubernetes token availability.
- A mounted /var/run/docker.sock was used to create privileged containers and escape onto the host filesystem and namespaces.
- The attacker read host credential material, including /etc/shadow, SSH private keys, and other key files from the host.
- The ATA replayed a stolen Kubernetes service-account token against the in-cluster API and dumped Secrets from the default namespace.
- The campaign showed that an autonomous agent can chain container escape and Kubernetes credential replay at machine speed.
MITRE Techniques
- [T1611 ] Escape to Host – The attacker used a mounted Docker socket to create privileged containers and break out to the host, and also used nsenter to enter host namespaces (‘breaking out to the host with nsenter’).
- [T1610 ] Deploy Container – The attacker created privileged containers specifically to run host commands and access mounted host paths (‘Creating privileged containers to break out onto the host’).
- [T1613 ] Container and Resource Discovery – The attacker enumerated the container environment, Docker socket, seccomp, capabilities, cgroups, and Kubernetes token location (‘mapping its container context and every available breakout primitive’).
- [T1611.001 ] Escape to Host via Container Runtime Socket – The attacker used /var/run/docker.sock as the breakout primitive to control the Docker daemon (‘Finding the Docker socket reachable…selected it as the breakout vector’).
- [T1611.002 ] Escape to Host via Namespace Breakout – The attacker used nsenter to enter host mount, UTS, network, PID, and IPC namespaces (‘entering the host namespaces of PID 1 directly’).
- [T1190 ] Exploit Public-Facing Application – The initial access came from exploiting the vulnerable marimo notebook exposed to the attacker (‘exploiting a vulnerable marimo notebook (CVE-2026-39987)’).
- [T1068 ] Exploitation for Privilege Escalation – The attacker probed a kernel-level privilege-escalation path through Copy Fail / AF_ALG reachability (‘Probing a kernel-level privilege-escalation path through Copy Fail’).
- [T1055 ] Process Injection – Not observed directly as code injection, but the attacker executed staged payloads via shell and Python in a controlled harness (‘base64 written in chunks…decoded, and executed’).
- [T1021.006 ] Remote Services: Kubernetes API – The attacker replayed a stolen service-account token against the Kubernetes API server to enumerate and dump Secrets (‘replay it against the in-cluster API server’).
- [T1552.001 ] Unsecured Credentials: Credentials In Files – The attacker read /etc/shadow, SSH keys, and other credential files from host-mounted paths (‘reading the host shadow file and SSH keys’).
- [T1003.008 ] OS Credential Dumping: /etc/shadow – The attacker directly accessed the host shadow file from the breakout container (‘$ cat /host/etc/shadow’).
- [T1528 ] Steal Application Access Token – The attacker read a mounted Kubernetes service-account token from the pod (‘$ cat /var/run/secrets/kubernetes.io/serviceaccount/token’).
- [T1609 ] Container Administration Command – The attacker used Docker API calls to create containers on the host (‘curl –unix-socket /var/run/docker.sock … /containers/create’).
Indicators of Compromise
- [IP address ] Source/C2 infrastructure and second-stage delivery – 103.43.71.95, 43.167.11.88
- [URL ] Second-stage payload retrieval over HTTP – http://43.167.11.88:8084/slt
- [File path ] Host and container paths used during breakout and credential theft – /var/run/docker.sock, /var/run/secrets/kubernetes.io/serviceaccount/token
- [File path ] Host credential files accessed after breakout – /host/etc/shadow, /host-ssh/id_ed25519
- [File name / command artifact ] Staged payload harness and decoded script location – /tmp/r_.b64, /tmp/r_.py
- [File name ] Host key material and SSH-related files searched or accessed – id_rsa, id_ed25519, authorized_keys
- [Kubernetes Secret names ] Secrets enumerated from the cluster – dbcredentials, redisXXXXXX, openai-api-key, slack-webhook