Sysdig first observed LLM-agent-driven intrusion via CVE-2026-39987

Sysdig's Threat Research Team documented what they assess as the first in-the-wild LLM-agent-driven intrusion, observed on 10 May 2026 (Sysdig TRT, 2026-05-26; The Hacker News, 2026-05-29). Initial access: exploitation of CVE-2026-39987, a pre-auth RCE in Marimo notebook < 0.20.4 (patched in 0.23.0) on an internet-accessible instance (T1190). An AI agent then drove four autonomous pivots: (1) extracted two cloud credentials from the host filesystem (T1552.001); (2) replayed them via a Cloudflare Workers egress pool to call AWS Secrets Manager APIs and retrieve an SSH private key (T1555); (3) executed eight parallel SSH sessions against a downstream bastion (T1021.004); (4) exfiltrated the full schema and contents of a downstream PostgreSQL database within two minutes (T1048). Sysdig identified LLM agent involvement from four artefacts: improvised schema discovery without environmental foreknowledge; a Chinese-language planning comment in the command stream ("看还能做什么" — "See what else we can do"); machine-optimised command formatting (delimiter-separated, bounded output, stderr discarded, less disabled); and sequential hand-off of output values as inputs to subsequent commands. Cloudflare Workers obscured the origin IP. No attribution was made. Defender countermeasures: update Marimo to ≥ 0.23.0; restrict internet-accessible notebook deployments; monitor AWS CloudTrail for Secrets Manager GetSecretValue calls from unexpected IPs; restrict SSH bastion access to known CIDR ranges.