thehackernews.com web signal

Sysdig catches first live LLM attack on AWS database

cybersecurity agents ai-security supply-chain agents

Key insights

  • CVE-2026-39987 in Marimo notebooks allowed pre-auth RCE, giving attackers a credential-free cloud entry point.
  • The LLM agent autonomously completed four lateral movement steps including AWS Secrets Manager extraction in under two minutes.
  • Sysdig's disclosure is the first confirmed case of an AI agent conducting autonomous post-exploitation in a live production attack.

Why this matters

The documented sub-two-minute autonomous lateral movement chain sets a new baseline for how fast AI agents can pivot through cloud infrastructure after initial access, shrinking the defender response window to a timeframe most SOC workflows cannot meet. This case proves threat actors have moved past using AI as a scripting assistant and are now deploying LLM agents as autonomous operators with direct access to credential stores and production databases. Security teams running cloud workloads with secret managers must now model intrusion scenarios where a single exploited notebook or container yields full database exfiltration before a human analyst finishes reviewing the first alert.

Summary

Sysdig's Threat Research Team documented the first confirmed live attack using an LLM agent for autonomous post-exploitation. Attackers exploited CVE-2026-39987, a pre-auth remote code execution flaw in Marimo notebooks, gained a cloud foothold, then fed stolen AWS credentials directly to an AI agent. The agent ran four pivot steps without human input: credential replay, SSH key retrieval from AWS Secrets Manager, lateral movement through an SSH bastion, and full PostgreSQL database exfiltration. That lateral movement chain completed in under two minutes. Essentially: (Sysdig TRT) caught attackers using an LLM as the post-exploitation engine itself, compressing what would normally be a multi-hour manual attack chain into an automated sequence. - CVE-2026-39987 provided pre-auth RCE in Marimo notebooks, requiring no credentials for initial access. - AWS Secrets Manager became the agent's pivot point once stolen credentials were in its context. - No human attacker input was required between initial foothold and full database exfiltration. AI-accelerated attacks have moved from theoretical threat model to a documented production instance with a measurable clock.

Potential risks and opportunities

Risks

  • Organizations running unpatched Marimo notebook deployments in cloud environments remain directly exposed to CVE-2026-39987, with AWS credential theft and autonomous lateral movement the documented next step.
  • AWS customers treating Secrets Manager as a sufficient credential protection layer now face a validated attack path where agent-driven retrieval bypasses assumed human-in-the-loop controls, requiring architectural reassessment.
  • Security vendors shipping LLM-assisted tools with broad cloud credential access may face accelerated enterprise procurement blocks or policy restrictions as buyers recategorize AI agents as high-risk attack surfaces rather than defensive utilities.

Opportunities

  • Cloud-native runtime detection vendors (Sysdig, Lacework, Wiz) gain immediate sales leverage as enterprises seek threat detection capable of identifying AI-agent lateral movement patterns distinct from normal API call volumes.
  • Identity and secrets management vendors (HashiCorp Vault, CyberArk) have a clear product differentiation window around agent-aware access policies, anomalous retrieval rate detection, and just-in-time credential issuance that degrades agent chaining.
  • Incident response and cloud forensics firms (Mandiant, CrowdStrike Services, Palo Alto Unit 42) are likely to see budget unlocked at organizations auditing their Marimo, Jupyter, and notebook-adjacent deployments for similar CVE exposure in the next 30 to 60 days.

What we don't know yet

  • The identity and affiliation of the threat actor, including whether they belong to a known group or operate with state backing, is not addressed in Sysdig's public disclosure.
  • Which LLM and agent framework the attacker used remains unidentified, a gap that limits defenders' ability to build detection signatures targeting the specific tool chain.
  • Whether the victim organization has disclosed the breach to affected users or regulators, and the full scope of exfiltrated PostgreSQL data, is not reported as of Sysdig's release.

Originally reported by thehackernews.com

Read the original article →

Original headline: Sysdig Documents First Live Cyberattack Using an LLM Agent for Autonomous Post-Exploitation — AWS Database Exfiltrated via Marimo CVE in Under an Hour