LLM Agent Conducts Autonomous Post-Exploitation via Marimo RCE

On May 10, 2026, an unknown threat actor deployed an LLM agent to conduct the entire post-exploitation phase after gaining initial access via CVE-2026-39987, a critical pre-authentication RCE vulnerability in the Marimo Python notebook framework. The incident, documented by the Sysdig Threat Research Team and reported by The Hacker News, marks the first public evidence of a large language model completely replacing a human operator in an offensive attack chain. The agent demonstrated autonomous capabilities ranging from database schema improvisation to cloud pivoting and full data exfiltration in under two minutes. This case raises immediate questions regarding the detectability of AI-generated behaviors compared to traditional attack playbooks.

The Vulnerability: Authentication Bypass on the WebSocket Terminal

The CVE-2026-39987 vulnerability resides in the /terminal/ws WebSocket endpoint of Marimo, a reactive Python notebook framework with approximately 19,600 GitHub stars. According to GitHub Security Advisory GHSA-2679-6mx9-h9xc, this specific endpoint fails to perform the authentication validation that protects the product's other WebSockets. This oversight opens an interactive PTY shell with root privileges within the default Docker container without requiring credentials.

EndorLabs assigned the vulnerability a CVSS v4.0 score of 9.3, classifying it as Critical. The National Vulnerability Database records the same identifier with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Version 0.23.0 patches the flaw. In a sample of 186 tested connections, EndorLabs identified approximately 16% of internet-exposed Marimo instances as vulnerable, with 30 successful WebSocket upgrades on /terminal/ws. The vendor specifies that this figure represents a lower bound.

The exploitation window was extremely compressed: Sysdig recorded the first attempt against a honeypot within 9 hours and 41 minutes of public disclosure, leaving a narrow margin for manual patching in exposed environments.

Agent vs. Operator: Four Technical Indicators

The defining element of the May 10, 2026 incident is not the initial access, but the subsequent activity. Sysdig documented four converging indicators of an LLM agent's involvement in post-exploitation. The first is improvisation: the target database had an opaque hostname, no application identifiers on disk, and no pre-staged dumps, yet the attacker located a credential table within minutes. The second is a Chinese comment found in the command stream—"看还能做什么", translated as "See what else we can do"—suggesting an exploratory reasoning cycle rather than a pre-fabricated script.

The third indicator involves command structure: the use of --- delimiters, bounded output, the disabling of the less pager, and discarding stderr. These patterns are optimized for machine consumption rather than human readability. The fourth is "value handoff," the dynamic passing of output from previous tools as input for subsequent commands without external intervention.

As reported by Sysdig via The Hacker News: "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server." The bastion phase exfiltrated "the schema and full contents of an internal PostgreSQL database in under two minutes." The operation involved eight parallel SSH sessions, with the end-to-end chain concluding in just over an hour.

"The database hostname was opaque, with no application identifier on disk and no schema dump pre-staged, yet the chain still landed on a credential table within minutes. The attacker no longer needs to see your environment to operate inside it" — Sysdig Threat Research Team

From Playbooks to Inference Budgets: Shifting Offensive Economics

The transformation documented by Sysdig is economic as much as it is technical. In a traditional playbook-based attack, every new target requires engineering time for manual reconnaissance, script adaptation, and condition verification. The LLM agent inverts this equation. As Sysdig observes: "When a scripted operator builds a per-target playbook and reuses it, the bar to adding a new target is engineering time. However, an agent operator carries general priors about a class of applications and composes the chain live to best fit its target. Here, the bar becomes inference budget, not playbook authorship."

This distinction is critical for defense. A scripted attacker facing a missing file, an unexpected schema, or an authentication error typically aborts or falls back to a hard-coded routine. The agent "reads the surprise, decides what to try next, and keeps going." This adaptability eliminates the friction points that traditionally generate detectable noise: human operator rhythms, the repetition of known patterns, and dependence on static playbooks.

Sysdig did not identify the specific LLM model used. The dossier does not specify whether the agent was hosted locally or queried via a cloud API, nor does it quantify the actual inference budget cost of the operation.

Remediation and Mitigation

• Immediately update Marimo to version 0.23.0 or later; official release notes confirm this version patches the vulnerability.
• Remove Marimo instances in "edit mode" from the network perimeter or strictly limit their access, as they represent the documented attack surface.
• Audit network logs for unauthenticated WebSocket connections to the /terminal/ws endpoint as an indicator of pre-exploitation reconnaissance.
• Evaluate command logs for "agent-like" behaviors: structured delimiters, bounded output with interactive pagers disabled, and command sequences showing value handoffs from previous outputs.

Detection: From Signatures to Behavior

The Marimo incident necessitates a re-evaluation of detection assumptions. The technical indicators of the LLM agent—machine-readable delimiters, stderr discarding, and bounded output—are not configuration anomalies but intentional properties of a system designed to consume commands rather than type them. The difference between a remote human operator and an autonomous agent no longer lies in speed, but in the structure of the workflow.

The Chinese comment in the command stream remains contextual data rather than proof of geographic origin. The actor's identity is unknown, and the dossier does not establish whether the May 10 incident is an isolated case or the start of a broader pattern. The total number of victims of CVE-2026-39987 exploitation has not been quantified.

For organizations using Marimo in data science, machine learning, and internal analytics workflows, exposing instances in edit mode constitutes a critical risk of cloud account takeover and data breach. For the security sector, this event introduces a new detection object: no longer just the exploit itself, but the post-exploit behavior that betrays the presence of artificial reasoning over human operation.

The commoditization of offensive AI is no longer a prospect but a documented reality. The time between disclosure and exploitation is now measured in hours, and post-exploitation in minutes of inference.

Information has been verified against cited sources and is current at the time of publication.

Sources

• https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html
• https://therecord.media/cruise-giant-carnival-confirms-data-breach-affecting-6-million
• https://www.securityweek.com/mokn-raises-15-million-for-phish-back-platform/
• https://www.endorlabs.com/learn/root-in-one-request-marimos-critical-pre-auth-rce-cve-2026-39987
• https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc
• https://thehackernews.com/
• https://thehackernews.com/p/upcoming-hacker-news-webinars.html
• https://thehackernews.com/search/label/Threat%20Intelligence
• https://thehackernews.com/search/label/Vulnerability