Marimo CVE-2026-39987 Exploited with LLM Agent Post-Exploitation: AI-Driven Lateral Movement and Secrets Harvesting
Date: 2026-06-01
Tags: malware, apt, llmjacking
Executive Summary
CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. It allows an unauthenticated attacker to execute arbitrary system commands. The security defect has since come under active exploitation, with threat actors using it to initiate manual reconnaissance against honeypot systems and attempt to harvest sensitive data. The latest activity documented by Sysdig sticks to the same pattern, the primary difference being that an LLM agent was used to drive the post-exploitation activity. The incident, per the cloud security firm, was recorded on May 10, 2026, with the attacker gathering credentials from the environment and then using the harvested AWS access key to perform API calls against AWS Secrets Manager and retrieve an SSH private key. This represents the first documented case of LLM agent-driven post-exploitation automation in a real-world attack.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Marimo RCE + LLM Agent Post-Exploitation |
| Attribution | Unknown; demonstrates advanced operational security and agentic automation (confidence: low) |
| Target | Exposed Marimo instances; organizations with cloud-connected infrastructure |
| Vector | Pre-auth RCE in Marimo; LLM agent automation for credential theft and lateral movement |
| Status | active |
| First Observed | 2026-05-10 |
Detailed Findings
CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. It allows an unauthenticated attacker to execute arbitrary system commands. The issue was addressed in version 0.23.0, released last month. The value handoffs are obtained from prior tool output. In other words, the manner in which certain values, say, database passwords, were extracted implies an AI agent feeding its own previous output -- running a cat command of the "~/.pgpass" file -- into the next action. In another instance, a cat command to print the contents of a specific file ("cat ~/.ssh/id_ed25519") is preceded by an ls ("list") command that passes the same file pattern as input ("ls -la ~/.ssh/id_ed25519*") to confirm that the SSH Key exists. When a scripted operator builds a per-target playbook and reuses it, the bar to adding a new target is engineering time. However, an agent operator carries general priors about a class of applications and composes the chain live to best fit its target. Here, the bar becomes inference budget, not playbook authorship.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Remote Code Execution | T1190 | Pre-auth RCE via Marimo CVE-2026-39987 unauthenticated endpoint |
| Credential Dumping / Secrets Harvesting | T1555 | LLM agent automated extraction of SSH keys, database credentials, AWS secrets via file enumeration |
| Cloud Credential Theft | T1528 | Harvested AWS credentials used for API calls to AWS Secrets Manager and credential services |
| Lateral Movement via Stolen Credentials | T1550.001 | LLM agent using stolen SSH keys and AWS credentials for internal/cloud lateral movement |
IOCs
Domains
_Specific IOCs not disclosed; attack details inferred from Sysdig analysis of honeypot instrumentation_
Full URL Paths
_Specific IOCs not disclosed; attack details inferred from Sysdig analysis of honeypot instrumentation_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
Marimo (vulnerable versions 0.20.4 and prior)Detection Recommendations
Monitor for and block unauthenticated access to Marimo instances. Implement network segmentation isolating Marimo from credential stores and cloud infrastructure. Monitor LLM API usage patterns for large numbers of sequential command executions (especially file enumeration patterns like ls followed by cat for .ssh, .pgpass, environment variable dumps). Alert on AWS Secrets Manager API calls originating from Marimo or adjacent infrastructure. Implement file access controls preventing arbitrary read of ~/.ssh and ~/.pgpass from application processes. Patch Marimo to version 0.23.0 or later immediately.
References
- [The Hacker News] Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit (2026-05-31) — https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html
- [Sysdig] Marimo CVE-2026-39987 Analysis (2026-05-31) — https://www.sysdig.com/blog/marimo-cve-2026-39987