Sysdig Documents First Autonomous Attack by AI Agent: CVE-2026-39987 on Marimo Exposed in 4 Steps

Sysdig's Threat Research Team (TRT) published a report on Thursday detailing the first-ever autonomous intrusion conducted by an LLM agent as recorded by the team: from a critical pre-authentication remote code execution vulnerability in Marimo, an unknown attacker accessed an internal PostgreSQL database across four consecutive steps, completing the cycle in under an hour. The Sysdig TRT did not publicly disclose the organisation in whose environment the attack was detected.

CVE-2026-39987: CVSS 9.3, authentication completely absent

CVE-2026-39987, assigned by GitHub Security Lab with a CVSS v4.0 score of 9.3, resides in the WebSocket endpoint /terminal/ws of Marimo. While other endpoints in the framework correctly call validate_auth(), /terminal/ws only validates the execution mode and platform support, completely ignoring authentication. A single unauthenticated HTTP request grants full PTY shell access. All versions up to and including 0.20.4 are vulnerable; the fix was made available in version 0.23.0, released in April. The vulnerability was exploited within ten hours of the advisory's publication on 8 April 2026 (GHSA-2679-6mx9-h9xc), and CISA added the CVE to the KEV catalogue on 23 April, with a remediation deadline of 7 May for U.S. federal agencies.

The Four Documented Steps

The incident was captured on 10 May 2026 by Sysdig TRT sensors. The attacker followed this sequence: compromised a Marimo notebook accessible via the internet through CVE-2026-39987, gaining immediate shell access; extracted two pairs of cloud credentials from the compromised process; queried the AWS Secrets Manager using the AWS keys to recover a private SSH key, through an output pool on distinct IPs; and opened eight short SSH sessions against a downstream bastion server. During the bastion phase, the complete schema and contents of an internal PostgreSQL database were exfiltrated in under two minutes. The entire sequence lasted less than an hour.

Four Indicators That Identified the AI Agent

The agent performed a dump of the database without any prior knowledge of the schema, enumerating tables and immediately targeting a missing credentials table in the application whose schema resembled it, which Sysdig TRT interprets as real-time general knowledge reasoning, rather than pre-collected intelligence. An internal comment in Chinese, "看还能做什么" (translated: "let's see what else we can do"), leaked directly into the command flow and was dispatched from six different IPs in a sub-millisecond cadence, a rate impossible for a human operator. Each command was crafted for machine consumption: "---" separators, limited output capture, and systematic discarding of stderr to minimise parsing noise. The database password was read from the .pgpass file moments before it was used, confirming that the agent reasoned about the flow of value between steps, rather than executing pre-written logic.

Risk Surface in Corporate MLOps Pipelines

Marimo is adopted as a reactive replacement for Jupyter in corporate data science pipelines. Inadvertent exposure to the internet occurs in MLOps deployments on Kubernetes with public LoadBalancer-type services, configuration documented in model development environments in the financial and telecommunications sectors.

In delivery centres in India, where TCS, Infosys, and Wipro operate tens of thousands of data engineers in shared cloud clusters, an exposed Marimo notebook can serve as an entry point for production credentials of corporate clients. The reliance on AWS Secrets Manager as a repository for privileged access secrets, widely adopted in these environments, is explicitly present in the attack chain documented by Sysdig TRT.

In Europe, where GDPR mandates incident notification within 72 hours of the controller's awareness, MLOps environments running Marimo on affected versions (0.20.4 and earlier) pose direct regulatory risk for firms like Capgemini Engineering and data teams in banks such as Deutsche Bank and ING, which maintain ML centres in Poland, Germany, and the Netherlands.

Immediate Actions

The Sysdig TRT recommends upgrading to Marimo 0.23.0 or later, auditing externally accessible instances, rotating all cloud credentials and SSH keys in environments that ran affected versions, and blocking outbound network traffic in notebook clusters to necessary endpoints.

What this incident delineates is not just the speed of the attack, but the agent's ability to reason adaptively about a completely unknown environment: without pre-written scripts, no prior intelligence, only real-time inference about each step. This level of operational autonomy reduces the entry cost for an attacker possessing a frontier language model and a recent CVE.