CloudCodeTree LogoCloudCodeTree
HomeResumeAI NewsContactSchedule
CloudCodeTree Logo
CloudCodeTree
← Back to AI NewsSysdig documents the first confirmed autonomous LLM attack: zero to database exfiltration in 60 minutes, no human between steps

Sysdig documents the first confirmed autonomous LLM attack: zero to database exfiltration in 60 minutes, no human between steps

Chris Harper

2 min read

Jun 11, 2026 · 15:30 UTC

AI
Security
AI News

On May 10, 2026, a server running Marimo — an open-source Python notebook platform — was compromised through CVE-2026-39987, a pre-authentication remote code execution flaw. What made Sysdig's Threat Research Team sit up is what came next: rather than a human operator running post-exploitation commands, the attacker handed control to an LLM agent that autonomously ran the entire intrusion chain from initial access to a fully exfiltrated PostgreSQL database in under an hour. CVE-2026-39987 is now on CISA's Known Exploited Vulnerabilities list.

The four-pivot chain:

  1. Initial access — single WebSocket request exploiting the Marimo RCE for an interactive shell
  2. Credential harvest — agent read environment variables, config files, and metadata endpoints, extracting two cloud credentials
  3. AWS Secrets Manager — 12 API calls across 11 distinct IPs routed through Cloudflare Workers retrieved an SSH private key in 22 seconds, evading IP-based alerts
  4. Database exfiltration — eight parallel SSH sessions opened through the bastion host; full PostgreSQL contents dumped in under two minutes

How Sysdig knew it was an LLM. Four behavioral signatures set it apart from a human or script: real-time schema exploration (no dump script — the agent interrogated the DB to understand structure live), a Chinese-language planning comment ("see what else we can do") visible in the command stream, machine-readable structured delimiters indicating self-parsing output, and adaptive command generation where each step's output fed directly into the next one without any human in the loop.

The defender framing: signature-based detection is inadequate for adaptive agents — each command generated fresh, each step unique. Sub-minute lateral movement phases eliminate the response window that traditional alerting assumes. The 12-IP, Cloudflare-routed exfiltration demonstrates evasion patterns that most human attackers spend years developing, now embedded in the agent's behavior.

Immediate mitigations: patch Marimo to 0.23.0+, audit AWS Secrets Manager access controls and MFA, monitor for anomalous Cloudflare Worker egress, and audit any publicly-accessible notebook instances. More broadly: assume breach timelines of under an hour and design for that, not the old "days to lateral movement" model.

Sources: Sysdig TRT blog, The Hacker News, The Agent Report, CyberSecurityNews