PERMISSION/PROTOCOL
Back to incident tracker

2026-05-10

CriticalPrimary

Sysdig Captures First In-the-Wild LLM Agent Post-Exploitation — marimo CVE to Internal Database Dump in Under One Hour

Sysdig TRT documented the first confirmed LLM-agent-driven intrusion: attacker used CVE-2026-39987 in marimo to reach AWS credentials and dump an internal PostgreSQL database in under 60 minutes.

Attacker-controlled LLM Agent / marimoCredential exposureLLM-agent-driven lateral movement / credential pivot / database exfiltrationmarimo notebook server / AWS Secrets Manager / SSH bastion / internal PostgreSQL database

What happened

Attacker exploited CVE-2026-39987 in marimo to harvest cloud credentials, used an LLM agent to replay credentials through a Cloudflare Workers egress pool to retrieve an SSH key from AWS Secrets Manager, then drove 8 parallel SSH sessions against a downstream bastion to dump an internal PostgreSQL database.

Why it matters

Full schema and contents of internal PostgreSQL database exfiltrated in under two minutes during the bastion phase. Tables dumped included api_key, credential, user, variable, flow, and message. The attacker's LLM inferred the schema shape from contextual signals without prior knowledge of the target database.

Missing authorization check

A PP-style authorization gate on AWS Secrets Manager access requiring a signed receipt naming the specific secret, the requesting agent identity, and the permitted purpose — without which any caller with valid (even stolen) credentials can retrieve the key.

Would PP block it?

PP gates authorized agents' access to credential material through signed receipts naming the agent identity, secret scope, and authorized purpose. In this attack, the credential pivot succeeds because AWS Secrets Manager validated only that the caller possessed valid credentials — not that the caller was a permitted agent acting within a sanctioned policy. PP's Credential Gate would require the secretsmanager:GetSecretValue call to present a signed authorization receipt; the attacker's LLM agent cannot obtain one from the victim's PP deployment, breaking the lateral movement chain at the credential retrieval step.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-05-10

    18:23 UTC — Attacker opens first WebSocket to vulnerable marimo instance; interactive command (id) fired one second later

  2. 2026-05-10

    18:24 UTC — Credential harvest begins: /app/.env, /etc/environment, ~/.aws/credentials enumerated

  3. 2026-05-10

    19:26 UTC — First AWS API call (sts:GetCallerIdentity) using harvested key; 12 secretsmanager:GetSecretValue calls fanned across 11 Cloudflare Worker IPs in 22 seconds

  4. 2026-05-10

    19:30 UTC — First SSH authentication on bastion using retrieved key

  5. 2026-05-10

    19:30–19:32 UTC — Eight parallel SSH sessions dump host config and full PostgreSQL database contents in under two minutes

Technical breakdown

  • CVE-2026-39987 provides RCE via the marimo notebook terminal WebSocket endpoint — same vector Sysdig profiled in prior campaigns, but first observed with LLM agent-driven post-exploitation.
  • LLM agent confirmed by four behavioral signatures: improvised PostgreSQL dump against an unidentified target; planning comment in Chinese leaking into the command stream; command shapes built for machine consumption; value handoffs lifted from prior tool output.
  • Cloudflare Workers used as a per-request egress pool: 12 AWS API calls fanned across 11 distinct IPs in 22 seconds, defeating source-IP correlation in AWS CloudTrail and on-premises log correlation.
  • Attacker's LLM inferred a 'langflow-shaped' database from hostname alone and included a credential table not present in any tagged langflow release — demonstrating LLM-augmented schema inference from minimal context.
  • Full kill chain — RCE to internal database dump — completed in under one hour, illustrating how LLM agents compress post-exploitation timelines from days to minutes.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Credential Gate: secretsmanager:GetSecretValue and any retrieval of SSH keys, database credentials, or API secrets would require a PP-signed receipt naming the authorized agent and permitted use.
Still needs
Initial RCE via CVE-2026-39987 in marimo — PP does not provide vulnerability or network-layer protection. Post-retrieval SSH session commands once the key is already in attacker hands.
Receipt required for
Retrieval of SSH private key from AWS Secrets Manager; access to .env files or cloud credential stores on a compromised host; any database credential access by non-human callers.

The initial RCE via CVE-2026-39987 is outside PP scope. However, the critical pivot — the attacker's LLM agent calling secretsmanager:GetSecretValue to retrieve the SSH private key — is precisely what PP's Credential Gate enforces. If retrieving that secret required a PP-signed receipt, the lateral movement chain breaks at step 3.

Related incidents and controls

Critical2026-05-04

Braintrust AWS breach exposes org-level AI provider API keys for all customers — OpenAI, Anthropic, Google credentials at risk

High2026-05-21

Composio Breached via LLM-Generated Attack Patterns — Agentic Monitoring Tool Pivoted to Automated Remediation Systems

High2026-05-01

Johns Hopkins researchers exfiltrated API keys from Anthropic, Google, and Microsoft coding agents via GitHub Actions — all three vendors paid bug bounties

Review Credential Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop