Agent at the wheel: detecting LLM-driven post-exploitation

What is this?

On May 10, 2026, the Sysdig Threat Research Team recorded what it describes as its first captured intrusion where a large language model agent drove the post-exploitation phase in real time, rather than executing a pre-written playbook. The full chain — from a compromised marimo notebook to a full internal PostgreSQL dump — ran end-to-end in under one hour, with the database exfiltration itself taking less than two minutes. Sysdig published its analysis on May 26, 2026; The Hacker News covered it on May 29.

The entry point was CVE-2026-39987, a critical pre-auth remote code execution bug in marimo (all versions ≤ 0.20.4), patched in 0.23.0 and now on CISA’s KEV catalog. The CVE is not the story here — it is the known door. What is new is the engine on the other side of the connection.

How it works

The intrusion followed a familiar four-pivot path: marimo RCE → harvest cloud credentials from disk → retrieve an SSH private key from AWS Secrets Manager → drive SSH sessions against an internal bastion to dump PostgreSQL. No new exploit primitive was introduced, so none is reproduced here.

What distinguishes an agent from an automated script is real-time composition. Sysdig identified four forensic signatures, none of which a pre-built playbook explains:

Signature                         What it looks like
--------------------------------  ----------------------------------------------
1. Improvised target dump         Six-table SELECT against an opaque host, incl.
                                   a `credential` table the schema didn't contain
2. Planning text in the stream    A Chinese comment "看还能做什么" ("see what else
                                   we can do") leaked mid-session, English shell
                                   following — across six IPs at sub-second tempo
3. Machine-shaped commands        `echo '---'` separators, quoted HEREDOCs, bounded
                                   `| head -N` captures, `-P pager=off`, `2>/dev/null`
4. Output consumed as input       PGPASSWORD lifted from `cat ~/.pgpass`; a secret
                                   ID picked from the prior `ListSecrets` response

A representative reconnaissance block, with the harvested secret removed:

PGPASSWORD=[REDACTED] psql -h internal-db -U app -d app -P pager=off << 'EOF'
SELECT * FROM api_key;
SELECT * FROM credential;
SELECT * FROM "user";
EOF

The five shaping tells — delimiters between probes, a HEREDOC bundling unrelated queries into one round trip, output capped so it fits a context window, the pager and stderr suppressed — each appear in well-engineered human scripts individually. Stacked together in a 113-second improvised session against a host the operator had no on-disk evidence about, they point to a model in a tool-use loop, reading each result and deciding the next call. Egress was fanned across eleven Cloudflare Workers IPs in 22 seconds, defeating per-source-IP correlation.

Why it matters

Sysdig frames the shift as one of cost, not capability. A scripted operator pays in engineering time to add each new target; an agent operator carries general priors about a class of application and composes the chain live, so the cost becomes inference budget. Cheaper composition means more intrusions of this complexity, faster.

The defender-relevant property is adaptiveness. A script that hits an unexpected schema or a missing file aborts or falls through to a hard-coded fallback. An agent reads the surprise and keeps going — here, it landed on a credential table inside a database identified only by hostname. As Sysdig puts it: “The attacker no longer needs to see your environment to operate inside it.” The corollary is that signature detection of a known operator’s command sequence degrades fast, because the agent composes a different sequence against every target.

Defenses

1. Patch and inventory marimo. Upgrade to 0.23.0 or later immediately; CVE-2026-39987 is a one-WebSocket-request shell on any unpatched, internet-reachable instance. If you cannot upgrade, restrict or disable the /terminal/ws endpoint.
2. Rotate everything reachable from a marimo process. Treat any publicly exposed instance as compromised: rotate AWS keys, API keys, database passwords and SSH keys, and audit .env files, environment variables and on-disk secrets.
3. Detect on intent, not sequence. Because the agent’s command order is unique per target, anchor detection on objectives — reading credential files, secretsmanager:GetSecretValue against SSH-key secrets, bulk SELECT * on credential/user tables — rather than on specific TTPs or User-Agent strings.
4. Correlate on identity, not source IP. Workers-style egress pools break per-IP detection. The same SSH key or the same AWS access key fanning across many points of presence in seconds is a stronger signal than any single address.
5. Get telemetry off the perimeter. The pivot ran inside the network. Runtime detection on the bastion and database tiers — not just internet-facing assets — is what catches the lateral movement.
6. Keep secrets off application hosts. A marimo box with cloud credentials on disk is a one-hour pivot device. Use short-lived, scoped credentials and instance-level identity rather than long-lived keys in .env files.

Status

Item	Reference	Date	Notes
Intrusion observed	Sysdig TRT	2026-05-10	First captured LLM-agent-driven post-exploitation
Sysdig analysis published	Sysdig	2026-05-26	Four agent signatures, IOCs, recommendations
The Hacker News coverage	THN	2026-05-29	Independent write-up
CVE-2026-39987	GHSA-2679-6mx9-h9xc	patched in 0.23.0	Pre-auth RCE, marimo ≤ 0.20.4, on CISA KEV
Earlier marimo exploitation	Sysdig	2026-04	Disclosure-to-exploitation under 10 hours

The headline is not “AI replaced the attacker.” As Sysdig’s Michael Clark put it: “We are watching attackers replace their scripts with AI.” The defensive takeaway is to stop detecting yesterday’s command sequence and start detecting what the attacker is trying to accomplish.