thehackernews.com web signal

Sysdig catches first live LLM attack on AWS database

7 sources tracking this story
cybersecurity agents ai-security supply-chain agents

Key insights

  • Sysdig TRT's first-party forensics identify four behavioral signatures that distinguish LLM-driven execution from scripted or human-operated attacks.
  • A leaked Chinese-language planning comment appearing mid-attack confirms the agent was reasoning in real time across a fresh, unseen environment.
  • Twelve AWS API calls distributed across 11 Cloudflare Workers IPs in 22 seconds renders per-source-IP correlation ineffective as a detection signal.

Why this matters

Sysdig TRT's first-party forensic write-up and five independent security outlets all confirm this as the first live intrusion in which an LLM agent ran every post-exploitation step without human command-by-command direction. Four behavioral markers are now consistent forensic signatures of agent-driven attacks: real-time schema improvisation, a leaked Chinese-language planning comment, machine-optimized command formatting, and self-chaining of prior output as input to the next step. TechTimes benchmarks the incident against CrowdStrike's 29-minute average adversary breakout time and an 89% year-over-year rise in AI-enabled attacks, and documents defensive AI counterprograms already underway at Google, OpenAI, and Microsoft. All sources converge on the same operational conclusion: per-source-IP and command-pattern detection are structurally broken by this attack class, and security operations must shift to outcome-based signals for credential access and data movement.

Summary

Sysdig's Threat Research Team documented the first confirmed live attack using an LLM agent for autonomous post-exploitation. Attackers exploited CVE-2026-39987, a pre-auth remote code execution flaw in Marimo notebooks, gained a cloud foothold, then fed stolen AWS credentials directly to an AI agent. The agent ran four pivot steps without human input: credential replay, SSH key retrieval from AWS Secrets Manager, lateral movement through an SSH bastion, and full PostgreSQL database exfiltration. That lateral movement chain completed in under two minutes. Essentially: (Sysdig TRT) caught attackers using an LLM as the post-exploitation engine itself, compressing what would normally be a multi-hour manual attack chain into an automated sequence. - CVE-2026-39987 provided pre-auth RCE in Marimo notebooks, requiring no credentials for initial access. - AWS Secrets Manager became the agent's pivot point once stolen credentials were in its context. - No human attacker input was required between initial foothold and full database exfiltration. AI-accelerated attacks have moved from theoretical threat model to a documented production instance with a measurable clock.

Potential risks and opportunities

Risks

  • Organizations running unpatched Marimo notebook deployments in cloud environments remain directly exposed to CVE-2026-39987, with AWS credential theft and autonomous lateral movement the documented next step.
  • AWS customers treating Secrets Manager as a sufficient credential protection layer now face a validated attack path where agent-driven retrieval bypasses assumed human-in-the-loop controls, requiring architectural reassessment.
  • Security vendors shipping LLM-assisted tools with broad cloud credential access may face accelerated enterprise procurement blocks or policy restrictions as buyers recategorize AI agents as high-risk attack surfaces rather than defensive utilities.

Opportunities

  • Cloud-native runtime detection vendors (Sysdig, Lacework, Wiz) gain immediate sales leverage as enterprises seek threat detection capable of identifying AI-agent lateral movement patterns distinct from normal API call volumes.
  • Identity and secrets management vendors (HashiCorp Vault, CyberArk) have a clear product differentiation window around agent-aware access policies, anomalous retrieval rate detection, and just-in-time credential issuance that degrades agent chaining.
  • Incident response and cloud forensics firms (Mandiant, CrowdStrike Services, Palo Alto Unit 42) are likely to see budget unlocked at organizations auditing their Marimo, Jupyter, and notebook-adjacent deployments for similar CVE exposure in the next 30 to 60 days.

What we don't know yet

  • The identity and affiliation of the threat actor, including whether they belong to a known group or operate with state backing, is not addressed in Sysdig's public disclosure.
  • Which LLM and agent framework the attacker used remains unidentified, a gap that limits defenders' ability to build detection signatures targeting the specific tool chain.
  • Whether the victim organization has disclosed the breach to affected users or regulators, and the full scope of exfiltrated PostgreSQL data, is not reported as of Sysdig's release.

What others are reporting

Coverage cluster as of 24h after publish

  1. Sysdig Read →

    Sysdig's own forensic write-up; the only source with complete technical evidence including the Cloudflare Workers egress pool technique and all four agent behavioral markers.

    We are not watching AI replace attackers. We are watching attackers replace their scripts with AI.
  2. TechTimes Read →

    Benchmarks the attack against CrowdStrike's 29-minute breakout average and documents defensive AI responses from Google Big Sleep, OpenAI Daybreak, and Microsoft Security Copilot already underway.

    An LLM agent drove four attack pivots in under 60 minutes on May 10; defenders now need AI to match the speed.
  3. Security Magazine Read →

    Frames the incident from the defender's perspective: real-time agent decision-making forces a structural shift from prevention-only strategies to faster detection and containment.

    Every stage of the intrusion lifecycle is accelerating, from vulnerability discovery to lateral movement and data exfiltration.
  4. Cyber Security News Read →

    Detailed technical walkthrough of all four behavioral indicators plus the Cloudflare Workers distributed egress technique that defeated IP-based correlation.

    We are not watching AI replace attackers. We are watching attackers replace their scripts with AI.
  5. GBHackers Read →

    Highlights the Chinese-language planning comment as forensic proof of real-time reasoning and provides precise timestamps across all four attack pivots.

  6. Cyber Press Read →

    Emphasizes the self-consuming output pattern where the agent fed its own previous command results into subsequent attack stages as the key marker of autonomous operation.

    We are not watching AI replace attackers. We are watching attackers replace their scripts with AI.

Originally reported by thehackernews.com

Read the original article →

Original headline: Sysdig Documents First Live Cyberattack Using an LLM Agent for Autonomous Post-Exploitation — AWS Database Exfiltrated via Marimo CVE in Under an Hour