.png "AI agent at the wheel: How an attacker used LLMs to move from a CVE to an internal database in 4 pivots")
Sysdig TRT reported the first AI-agent-driven intrusion it has captured, where an LLM agent performed post-compromise actions in real time from a vulnerable marimo notebook to internal PostgreSQL exfiltration in under one hour. The attack used CVE-2026-39987, AWS Secrets Manager, SSH bastion access, and Cloudflare Workers to fan out requests and evade per-source-IP detection. #CVE-2026-39987 #marimo #AWSSecretsManager #CloudflareWorkers #PostgreSQL
Keypoints
- The Sysdig Threat Research Team observed what it believes is the first AI-agent-driven intrusion it has captured.
- The intrusion started with an internet-reachable marimo notebook compromised through CVE-2026-39987.
- Attackers harvested cloud credentials from the host, then used AWS Secrets Manager to retrieve an SSH private key.
- Cloudflare Workers were used as a per-request egress pool, spreading 12 API calls across 11 IPs in 22 seconds.
- The SSH bastion phase involved eight parallel sessions and exfiltration of an internal PostgreSQL database in under two minutes.
- Sysdig identified several signs of real-time LLM-agent execution, including planning comments, machine-shaped commands, and output-driven handoffs.
- Recommended defenses include updating marimo to 0.23.0 or later, restricting or disabling /terminal/ws, and rotating exposed credentials.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker gained initial access by exploiting a vulnerable internet-reachable marimo notebook via CVE-2026-39987 (‘compromised an internet-reachable marimo notebook via CVE-2026-39987’).
- [T1083] File and Directory Discovery – The attacker searched for local files and directories to locate secrets and keys (‘cat ~/.bash_history’, ‘cat ~/.pgpass’, ‘ls -la /tmp/’, ‘find /home/deploy -type f -name ‘*.pem’ -o -name ‘*.key’ -o -name ‘*.env”).
- [T1552.001] Credentials In Files – The attacker extracted credentials from files such as .pgpass and .env (‘credential harvest against /app/.env*, /etc/environment, /proc//environ, ~/.aws/credentials’).
- [T1552.004] Private Keys – The attacker searched for and used SSH private keys to access downstream systems (‘ls -la ~/.ssh/id_ed25519*’, ‘cat ~/.ssh/id_ed25519.pub’, ‘used that key to drive eight short SSH sessions’).
- [T1110] Brute Force – The text describes repeated authentication attempts across multiple SSH sessions, though not password guessing; the attacker performed many rapid logins using the retrieved key (‘eight bastion SSH sessions executed in parallel’).
- [T1041] Exfiltration Over C2 Channel – The attacker exfiltrated database contents through the SSH bastion phase as part of remote command execution (‘dumping host configuration and the internal PostgreSQL database’).
- [T1078] Valid Accounts – The attacker reused harvested cloud and SSH credentials to authenticate to AWS and the bastion host (‘replayed them through a fanned-out egress pool’, ‘first SSH authentication on SSH bastion server using the retrieved key’).
- [T1555] Credentials from Password Stores – The attacker retrieved secrets from AWS Secrets Manager (‘first secretsmanager:GetSecretValue call against an SSH-key secret’).
Indicators of Compromise
- [IP addresses ] Source and pivot infrastructure – 157.66.54.26, 104.28.162.160, and 104.28.165.251
- [IP ranges ] Cloudflare Workers egress space used for fan-out – 104.28.0.0
- [AWS API actions ] Credential and secret retrieval activity – sts:GetCallerIdentity, secretsmanager:GetSecretValue
- [Endpoint paths ] marimo terminal access endpoint and credential targets – /terminal/ws, /app/.env*
- [File paths ] Local secret and key discovery on the compromised host – ~/.pgpass, ~/.ssh/id_ed25519*
- [Database objects ] PostgreSQL tables targeted for dumping – api_key, credential, user, variable, flow, message
- [Vulnerability ] Initial access weakness referenced in the article – CVE-2026-39987