The Marimo CVE Is Only Half the Story

A Marimo RCE gave initial access. Sysdig says the harder part was agent-driven post-exploitation: cloud keys, SSH pivoting, and a PostgreSQL dump.

2026-05-29 GIGATAP Team #security
#CVE#LLM security#post-exploitation

A Marimo CVE gave the attacker the door. The more important part is what happened after entry: Sysdig says an unknown threat actor used a large language model agent to adapt inside the compromised environment, extract cloud credentials, retrieve an SSH key, and dump an internal PostgreSQL database.

Source: The Hacker News, based on Sysdig research — https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html

What changed#

The incident centers on CVE-2026-39987, described as a critical pre-authenticated remote code execution vulnerability in Marimo. According to the source report, the flaw affects Marimo versions prior to and including 0.20.4, and was addressed in version 0.23.0.

That part is familiar security operations work: internet-reachable software, a disclosed RCE, active exploitation, and urgent patching. The shift is in the post-compromise behavior.

Sysdig observed an attacker compromise a publicly accessible Marimo notebook, pull two cloud credentials from the host, use an AWS access key to call AWS Secrets Manager, retrieve an SSH private key, and then use that key against a downstream SSH bastion server. The bastion activity reportedly exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes. The full chain lasted a little over an hour.

The report’s central claim is narrower than the headline cycle may make it sound. The LLM did not create the CVE. It did not remove the need for exposed infrastructure, valid credentials, reachable secrets, and lateral access paths. The claim is that an LLM agent appears to have driven the post-exploitation phase once access existed.

That matters because post-exploitation is where many real breaches become damaging. Initial access is often noisy and generic. The expensive part for attackers is adapting to the victim’s environment: finding credentials, reading file paths, understanding service names, handling missing files, and deciding what to try next. Sysdig’s argument is that an agent can reduce that cost.

Why the CVE matters for security operations#

CVE-2026-39987 is the entry point in this case, but the operational impact is broader than one Marimo instance.

The vulnerable service was publicly reachable. After compromise, the attacker found cloud credentials on the host. Those credentials could access AWS Secrets Manager. Secrets Manager contained an SSH private key. That key opened a path to a bastion server. The bastion then led to an internal PostgreSQL database.

Each step is a separate control question. Patching Marimo closes the known front door. It does not answer whether cloud credentials were over-permissioned, whether secrets were too broadly accessible, whether SSH keys were rotated, whether bastion access was monitored, or whether database exfiltration would trigger an alert.

This is the real privacy risk and operational risk in the story. A notebook service exposed to the internet became a route to database contents. If the internal PostgreSQL database held customer data, user records, analytics, application secrets, or business-sensitive tables, the damage is not limited to the original host.

The report also fits a pattern defenders should expect: attackers do not need perfect knowledge of the target. They need enough access, enough permissions, and enough time to discover the next useful handle.

The agent angle sharpens that problem. Sysdig points to several indicators suggesting LLM-driven activity: command output shaped for machine consumption, use of delimiters, bounded captures, suppression of noisy output, value handoffs from earlier command results, and a Chinese-language planning comment that appeared in the command stream. One example involved checking for an SSH key with an ls command before reading it with cat. Another involved using the contents of ~/.pgpass to drive later database access.

None of that proves a specific model, vendor, or toolkit. It does support the narrower conclusion that the operator may have used an agentic workflow that could observe output, adjust, and continue.

Exploitability is not the whole risk#

A common mistake after a CVE report is to treat exploitability as a binary patch question: vulnerable or not, exploited or not. This case shows why that is too thin.

The exploitability of CVE-2026-39987 matters because it can provide unauthenticated command execution. But the blast radius depends on what the compromised service can see and touch. A patched service with leaked long-lived keys elsewhere may still be exposed through other routes. An unpatched service with tight egress, no local secrets, limited identity permissions, and strong logging is still vulnerable, but the attacker has less room to convert code execution into data theft.

The Hacker News report says earlier exploitation activity included manual reconnaissance against honeypot systems and attempts to harvest sensitive data. Sysdig’s observed case follows that broad path, but with an apparent agent used after entry. That makes the defender’s job less about blocking a single rigid script and more about detecting adaptive sequences.

A hard-coded script often breaks when a file is missing or a schema differs. An agent can read the failure and choose another path. That does not make it magic. It makes weak assumptions more dangerous.

For security operations teams, the practical question is simple: if an attacker lands on one exposed application server, how many useful secrets can they reach before a human notices?

What to check now#

Start with Marimo exposure. Identify any internet-facing Marimo instances and verify whether they are updated beyond the affected range described in the source report. If a vulnerable instance was exposed, treat that as a possible compromise path, not just a patch ticket.

Then check the surrounding trust chain.

🧭 Practical checks:

  • Confirm Marimo has been updated to a fixed release, with priority on public instances.
  • Review logs for command execution, credential discovery, unusual file reads, and outbound activity from Marimo hosts.
  • Search for cloud credentials stored on the host, in environment variables, notebook files, shell history, config files, or application directories.
  • Audit AWS API calls from credentials associated with affected systems, especially Secrets Manager access.
  • Rotate exposed or potentially exposed credentials, API keys, and SSH keys.
  • Review Secrets Manager permissions. A compromised application host should not automatically have broad read access to high-value SSH keys.
  • Check SSH bastion logs for short, parallel, or unusual sessions after suspicious cloud API activity.
  • Inspect PostgreSQL access logs for schema enumeration, bulk reads, dumps, or access from bastion paths that do not match normal operations.
  • Add detection for command streams shaped for automation: repeated delimiters, bounded output capture, stderr suppression, and rapid value reuse across commands.

These checks matter even if you do not run Marimo. The pattern is portable. Public app compromise, local credential theft, cloud secret retrieval, SSH pivot, database dump — that chain can appear around many developer tools and internal platforms.

For teams working on open source security and software supply chain controls, this is another reminder that patching must be tied to operational checks. A CVE advisory tells you where the known weakness sits. It does not tell you whether the attacker already used it, what keys were exposed, or which downstream systems trusted those keys.

Related GigaTap reading: OpenSSF’s April signal: make security artifacts operational — https://gigatap.top/en/articles/openssfs-april-signal-make-security-artifacts-operational

What not to overclaim#

Do not turn this into “AI attackers can breach anything.” The source does not support that.

The observed chain still depended on concrete failures or exposures: a publicly reachable vulnerable Marimo notebook, credentials available from the compromised environment, access to AWS Secrets Manager, an SSH private key that worked against a bastion, and database access through that path. Remove or constrain any one of those links and the attack becomes harder.

Also do not assume every odd command sequence proves LLM use. Sysdig’s indicators are meaningful because they appear together: adaptive command flow, machine-oriented formatting, output handoffs, and a leaked planning comment. One delimiter or one strange shell command is not enough by itself.

The stronger lesson is more grounded. Agent-assisted post-exploitation can make attackers faster at navigating unfamiliar systems. That changes defender expectations. Controls that rely on attackers being slow, confused, or blocked by small environmental differences will age badly.

Patching the CVE is the first move. Proving that exposed credentials did not turn into downstream access is the work that matters next.