Sysdig reported an intrusion in which a threat actor exploited CVE-2026-39987 on an internet-exposed marimo notebook server and then used an LLM agent to carry out post-compromise actions. The attacker harvested AWS credentials, retrieved an SSH private key from AWS Secrets Manager, pivoted through a bastion host, and exfiltrated an internal PostgreSQL database in under an hour. Sysdig said the activity appeared agent-driven because commands were generated dynamically from live output, included machine-oriented formatting, and showed evidence of real-time adaptation rather than a fixed script.
The operation also used distributed infrastructure, including Cloudflare Workers, to spread AWS API calls and SSH sessions across multiple source IPs, reducing the effectiveness of IP-based correlation. The incident adds to broader evidence that attackers are operationalizing language models in intrusions: Splunk previously analyzed LAMEHUG, a Windows malware family that uses a Hugging Face-hosted Qwen 2.5-Coder-32B-Instruct model to generate malicious commands for reconnaissance, file theft, and exfiltration over SSH or HTTPS. Defenders were urged to upgrade marimo to 0.23.0 or later, restrict or disable the /terminal/ws endpoint if patching is not possible, rotate exposed credentials and keys, and prioritize behavior-based detection over static signatures.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Sysdig published research describing the May 10 intrusion as an AI-agent-driven post-exploitation chain, citing real-time improvisation, machine-oriented command formatting, and value handoffs between commands as evidence. It recommended upgrading marimo to version 0.23.0 or later, restricting or disabling the /terminal/ws endpoint if patching is not possible, and rotating exposed credentials and keys.
On May 10, 2026, an attacker exploited CVE-2026-39987 on an internet-exposed marimo notebook server, harvested AWS credentials, retrieved an SSH private key from AWS Secrets Manager, pivoted through a bastion host, and exfiltrated an internal PostgreSQL database. Sysdig said the intrusion completed in under an hour and used Cloudflare Workers IPs to distribute API calls and SSH activity across multiple source addresses.
CISA added Marimo CVE-2026-39987 to its Known Exploited Vulnerabilities catalog on April 23, 2026, reflecting active exploitation of the pre-authentication RCE flaw. The vulnerability affects Marimo versions before 0.23.0 and enables unauthenticated shell access via the /terminal/ws endpoint when edit mode is exposed.
Splunk Threat Research analyzed LAMEHUG's use of the Qwen 2.5-Coder-32B-Instruct model, its reconnaissance and file theft behavior, and its exfiltration methods over SSH or HTTPS. Splunk also released detections for WMIC discovery, service enumeration, file collection, and DNS queries to Hugging Face infrastructure.
CERT-UA identified LAMEHUG in July 2025 as a Windows malware family that uses a Hugging Face-hosted large language model to dynamically generate malicious commands during execution.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcedarkwebinformer.com
Open sourcecybersecuritynews.com
Open sourcewebflow.sysdig.com
Open sourcesysdig.com
Open sourcesplunk.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.