Marimo CVE-2026-39987 Exploited by LLM Agent for Post-Compromise Cloud Credential Theft and Lateral Movement
Date: 2026-06-12
Tags: malware, prompt-injection
Executive Summary
An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network. The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server. This represents one of the first documented cases of LLM agents autonomously conducting multi-stage post-exploitation workflows without human direction between steps.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Marimo RCE → LLM Agent Post-Exploitation Chain |
| Attribution | Unknown (unattributed threat actor) (confidence: none) |
| Target | Organizations running exposed Marimo notebook instances in cloud environments |
| Vector | CVE-2026-39987 pre-authenticated RCE + autonomous LLM agent orchestration |
| Status | active |
| First Observed | 2026-05-31 |
Detailed Findings
CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. The post-compromise workflow demonstrates orchestration: initial RCE → credential extraction from environment → AWS API calls via stolen credentials → Secrets Manager key retrieval → SSH lateral movement. This attack chain bypasses traditional endpoint defenses by using cloud-native APIs (AWS Secrets Manager) accessed through legitimate credentials, leaving minimal forensic evidence.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploit Public-Facing Application | T1190 | CVE-2026-39987 RCE in Marimo pre-auth endpoint |
| Unsecured Credentials | T1552.001 | Cloud credentials extracted from compromised Marimo environment |
| Lateral Movement | T1021.004 | SSH sessions via stolen AWS private key against bastion |
IOCs
Domains
_Sysdig disclosed incident details; specific C2/actor infrastructure not published_
Full URL Paths
_Sysdig disclosed incident details; specific C2/actor infrastructure not published_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
marimo (versions <= 0.20.4)Detection Recommendations
Identify and isolate exposed Marimo instances (should not be internet-accessible); apply CVE-2026-39987 patches immediately (version > 0.20.4); monitor AWS CloudTrail for unauthorized Secrets Manager API calls from development/notebook environments; establish network segmentation preventing notebook VPC egress to production bastions; track LLM API usage in post-compromise forensics; implement credential rotation policies for cloud service accounts used in development notebooks.
References
- [The Hacker News] Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit (2026-06-04) — https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html
- [Sysdig] LLM Agent Post-Compromise Exploitation via Marimo CVE-2026-39987 (2026-06-01) — https://www.sysdig.com/blog