Bright Nexus

Published on May 29, 2026

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

Severity
Medium

Detail

Attackers exploited a publicly exposed Marimo notebook using CVE-2026-39987, a critical remote code execution vulnerability, to gain initial access into the system. After compromising the host, they used an LLM/AI agent to assist with post-exploitation activities such as credential discovery, cloud service access, SSH key retrieval, lateral movement, and database dumping. The attack showed that the threat actor was not only using fixed commands, but appeared to adapt based on the environment and command results, making the intrusion faster, more flexible, and harder to detect using traditional static indicators.

How?

The attack worked in several stages. First, the attacker exploited the vulnerable Marimo service to execute commands on the host. Next, they searched common locations for sensitive files, including environment variables, AWS credentials, SSH keys, PostgreSQL configuration files, and other secrets. After obtaining AWS credentials, they accessed AWS APIs and retrieved an SSH private key from AWS Secrets Manager. The attacker then used this key to connect to a downstream bastion server, moved deeper into the internal environment, discovered PostgreSQL database access details, enumerated the database schema, and dumped sensitive tables. The LLM agent helped by interpreting command output, choosing the next action, suppressing unnecessary errors, and adjusting the attack flow dynamically.

Conclusion

This incident highlights the growing risk of AI-assisted post-exploitation, where attackers can use LLM agents to speed up reconnaissance, credential harvesting, lateral movement, and data exfiltration after initial compromise. For SOC teams, detection should focus on suspicious behavior such as unusual access to secrets, unexpected AWS API calls, new SSH key usage, lateral movement through bastion servers, and sudden database enumeration or dumping. Organizations using Marimo should upgrade to a fixed version, avoid exposing notebook services publicly, restrict terminal access, rotate potentially exposed credentials, and strengthen runtime and cloud activity monitoring.

Source

https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html