← Back to feed
2026-05-30 Prompt InjectionMalware TLP:CLEAR

Marimo CVE-2026-39987: Unauthenticated RCE Weaponized for Post-Exploitation via LLM-Driven Lateral Movement

Date: 2026-05-30
Tags: prompt-injection, malware

Executive Summary

An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. The attack demonstrates a novel operational pattern where an LLM agent autonomously executes multi-stage lateral movement and credential harvesting after RCE, representing a shift in post-exploitation tradecraft.

Campaign Summary

FieldDetail
Campaign / MalwareUnknown (CVE-2026-39987 Exploitation Campaign)
AttributionUnknown Threat Actor (confidence: low)
TargetOrganizations with internet-exposed Marimo notebook servers; data science teams and research organizations
VectorThe attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server.
Statusactive
First Observed2026-05-29

Detailed Findings

An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. Marimo is an interactive Python notebook environment popular in data science and ML research; CVE-2026-39987 is a pre-auth RCE affecting all versions prior to 0.20.4. The novel aspect of this campaign is the use of an LLM agent for post-exploitation automation. After gaining shell access, the attacker used an LLM to reason about extracted cloud credentials, construct valid AWS Secrets Manager queries, and orchestrate SSH lateral movement—all without human intervention. The bastion phase exfiltrated in two minutes. This represents a shift from LLM-assisted reconnaissance (which has been documented since early 2026) to LLM-driven autonomous post-exploitation.

MITRE ATT&CK Mapping

TechniqueIDContext
Exploit Public-Facing ApplicationT1190CVE-2026-39987 RCE in publicly accessible Marimo notebook server
Unsecured CredentialsT1552Cloud credentials and SSH keys extracted from compromised host environment
Cloud Account Access via Stolen CredentialsT1550Credentials replayed against AWS Secrets Manager and SSH infrastructure
Lateral Tool TransferT1570LLM agent orchestrates multi-stage access chain across cloud and on-premises systems

IOCs

Domains

_No IOCs published by Sysdig in incident disclosure; infrastructure details redacted._

Full URL Paths

_No IOCs published by Sysdig in incident disclosure; infrastructure details redacted._

Splunk Format

_No IOCs available for Splunk query_

Detection Recommendations

Restrict public internet access to Marimo notebook servers; deploy Marimo exclusively in authenticated, VPN-gated environments or private cloud networks. Patch immediately to Marimo 0.20.4 or later. Monitor for suspicious LLM-driven post-exploitation patterns: repeated AWS Secrets Manager queries after credential extraction, multi-stage SSH connections with non-human session timing, or scripts that auto-generate cloud API calls based on extracted credentials. Implement API rate limiting and anomaly detection on cloud credential usage (especially Secrets Manager and SSM Parameter Store). Audit CloudTrail logs for unusual AssumeRole calls or GetSecretValue calls from compromised application servers.

References