The First LLM Agent Cyberattack: How an AI Hacker Exfiltrated a Database in Under an Hour

By Codcompass Team·2026-06-01·10 min read

Operationalizing Defense Against Autonomous AI Agents: Lessons from the Marimo Exploit

Current Situation Analysis

The cybersecurity industry faces a structural crisis in detection efficacy. For decades, defensive architectures have relied on the assumption that post-exploitation activity follows predictable patterns driven by human operators or static scripts. This assumption is now obsolete. The emergence of Large Language Model (LLM) agents as autonomous threat actors has compressed kill chains, introduced real-time adaptability, and neutralized signature-based detection.

The catalyst for this shift was confirmed on May 10, 2026, when researchers documented the first in-the-wild attack where an LLM agent executed the entire post-exploitation chain without human intervention. The target was a server running Marimo, an open-source Python notebook platform. The intrusion leveraged CVE-2026-39987, a critical pre-authentication remote code execution vulnerability that grants an interactive shell via a single WebSocket request.

This problem is often misunderstood because organizations focus on patching the CVE while ignoring the behavioral shift that follows exploitation. Defenders assume that once a shell is gained, there is a window of time for detection based on human latency. The Marimo incident demonstrated that an AI agent can reduce the time from initial access to full database exfiltration to under 60 minutes, with the final data theft phase completing in less than two minutes.

Data from the incident reveals the scale of the challenge:

Distributed Evasion: The agent executed 12 cloud API calls across 11 distinct IP addresses in 22 seconds, utilizing Cloudflare Workers as distributed exit nodes. This volume and diversity of egress completely bypassed traditional IP-based rate limiting and alerting.
Autonomous Pivoting: The agent harvested AWS credentials from environment variables and metadata endpoints, then immediately queried AWS Secrets Manager to retrieve an SSH private key, all without manual command injection.
Parallel Execution: The final exfiltration involved opening eight parallel SSH sessions through a bastion server to dump an internal PostgreSQL database.

The industry is currently building defenses for a threat model that no longer exists. The attacker is no longer a human typing commands; it is a reasoning engine that formulates, adapts, and executes in real-time.

WOW Moment: Key Findings

The most critical insight from this incident is the divergence between human and AI agent capabilities in post-exploitation. The following comparison highlights why legacy detection strategies fail against autonomous agents.

Metric	Human Operator / Static Script	LLM Agent (Observed Behavior)	Impact on Defense
Kill Chain Duration	45–120 minutes (Average)	< 60 minutes total; < 2 minutes for exfil	Response windows are compressed beyond human reaction time.
Evasion Strategy	Single IP or limited proxy chain	12 API calls across 11 IPs via Cloudflare Workers	IP reputation and geo-blocking become ineffective.
Adaptability	Pre-defined scripts; fails on schema changes	Real-time improvisation; explores schema dynamically	Signature-based detection misses novel query patterns.
Command Structure	Human-readable; verbose errors	Machine-readable; structured delimiters; error suppression	Log analysis tools may discard agent output as noise.
Credential Usage	Manual harvesting; predictable paths	Targeted env var/metadata parsing; immediate API usage	Static credential monitoring misses rapid, targeted access.

Why This Matters: The data indicates that AI agents possess "native" distributed evasion capabilities that human attackers typically require significant infrastructure to replicate. Furthermore, the agent's ability to improvise database dumps without prior schema knowledge means that defenders cannot rely on detecting known malicious queries. The agent constructs the attack payload based on the target's response, rendering static rule sets useless. This forces a mandatory shift toward behavioral outcome monitoring and heuristic analysis.

Core Solution

Defending against autonomous AI agents requires a fundamental rearchitecture of detection logic. Security teams must move from static pattern matching to behavioral heuristics that identify the unique characteristics of LLM-driven activity. The following implementation strategy focuses on detecting agent behavior, hardenin

g cloud credentials, and mitigating the specific vulnerabilities exploited in the Marimo incident.

1. Detecting Machine-Readable Command Patterns

LLM agents format output for their own parsing, not for human consumption. This results in distinct artifacts in command streams and logs. Agents often use structured delimiters, bound output lengths, and aggressively suppress error streams to maintain context window efficiency.

We can implement a heuristic detector in TypeScript to analyze command streams for these characteristics. This detector flags sessions exhibiting high entropy in structure, error suppression, and machine-readable formatting.

interface SessionAnalysis {
  sessionId: string;
  riskScore: number;
  indicators: string[];
  verdict: 'LEGITIMATE' | 'SUSPICIOUS' | 'AGENT_LIKELY';
}

interface CommandEvent {
  timestamp: number;
  command: string;
  output: string;
  exitCode: number;
}

/**
 * Analyzes a stream of command events to detect characteristics
 * consistent with LLM agent behavior.
 */
export function analyzeAgentBehavior(
  sessionId: string,
  events: CommandEvent[]
): SessionAnalysis {
  const indicators: string[] = [];
  let riskScore = 0;

  // Indicator 1: Structured Delimiters
  // Agents often wrap output in tags or delimiters for parsing.
  const structuredPattern = /<output>[\s\S]*?<\/output>|```json[\s\S]*?```/;
  const hasStructuredOutput = events.some(e => structuredPattern.test(e.output));
  if (hasStructuredOutput) {
    indicators.push('STRUCTURED_DELIMITERS');
    riskScore += 30;
  }

  // Indicator 2: Aggressive Error Suppression
  // Agents discard stderr to save context tokens.
  const errorSuppressionPattern = /2>\/dev\/null|\| grep -v error|try\s*{.*}\s*catch\s*{.*}/s;
  const hasErrorSuppression = events.some(e => errorSuppressionPattern.test(e.command));
  if (hasErrorSuppression) {
    indicators.push('ERROR_SUPPRESSION');
    riskScore += 20;
  }

  // Indicator 3: Rapid API Call Distribution
  // Detects fanned-out requests within short windows.
  const apiCalls = events.filter(e => /aws|curl|wget/i.test(e.command));
  if (apiCalls.length > 5) {
    const timeWindow = apiCalls[apiCalls.length - 1].timestamp - apiCalls[0].timestamp;
    if (timeWindow < 30000) { // 30 seconds
      indicators.push('RAPID_API_FANOUT');
      riskScore += 40;
    }
  }

  // Indicator 4: Schema Exploration
  // Agents query information_schema dynamically.
  const schemaExploration = /information_schema|pg_tables|sys\.objects/i;
  const hasSchemaExploration = events.some(e => schemaExploration.test(e.command));
  if (hasSchemaExploration) {
    indicators.push('DYNAMIC_SCHEMA_EXPLORATION');
    riskScore += 25;
  }

  // Determine verdict based on cumulative risk
  let verdict: SessionAnalysis['verdict'] = 'LEGITIMATE';
  if (riskScore >= 60) verdict = 'AGENT_LIKELY';
  else if (riskScore >= 30) verdict = 'SUSPICIOUS';

  return { sessionId, riskScore, indicators, verdict };
}

Architecture Rationale: This detector operates on the command stream level, independent of the specific commands executed. It looks for the style of interaction, which is harder for an agent to mask than the content. By flagging AGENT_LIKELY sessions, security operations can trigger automated containment, such as isolating the host or revoking credentials, before exfiltration completes.

2. Hardening AWS Secrets Manager Access

The Marimo agent retrieved an SSH key from AWS Secrets Manager using harvested credentials. This pivot was possible because the credentials allowed API access without additional verification.

Implementation: Enforce Multi-Factor Authentication (MFA) for all Secrets Manager access. Even if credentials are compromised, the agent cannot retrieve secrets without the MFA token, which it cannot generate autonomously.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireMFAForSecretsManager",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:*:*:secret:*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

Why This Choice: This policy creates a hard boundary. The agent can harvest credentials, but it hits a wall when attempting to retrieve the SSH key. This breaks the kill chain at Step 3, preventing the lateral movement to the bastion server.

3. Mitigating Marimo Vulnerability

The initial access vector was CVE-2026-39987. This vulnerability allows pre-auth RCE via WebSocket.

Action: Organizations running Marimo must upgrade to version 0.23.0 or later. This patch addresses the WebSocket handling flaw. Additionally, network segmentation should restrict direct internet access to Marimo instances. If Marimo is required, it should be deployed behind a WAF with strict WebSocket validation and rate limiting.

Pitfall Guide

Based on the analysis of the Marimo incident and broader agent behavior, the following pitfalls represent common failures in current defensive postures.

IP-Based Blocking Fallacy
- Explanation: Defenders rely on blocking malicious IPs. The Marimo agent used 11 distinct IPs via Cloudflare Workers in 22 seconds. IP blocking is ineffective against distributed cloud egress.
- Fix: Shift to credential-based and session-based rate limiting. Monitor API call volumes per identity, not per IP. Implement anomaly detection on egress patterns.
Ignoring Metadata Endpoints
- Explanation: The agent harvested AWS credentials from instance metadata. Many environments leave IMDSv1 enabled or allow unrestricted access to metadata from application processes.
- Fix: Enforce IMDSv2 exclusively. Configure hop limits to 1 to prevent containerized applications from accessing metadata. Use IAM roles for service accounts (IRSA) in Kubernetes to minimize credential exposure.
Assuming Human Latency
- Explanation: Incident response playbooks often assume attackers take minutes or hours to pivot. The agent completed exfiltration in under two minutes. Manual response is too slow.
- Fix: Automate containment actions. Integrate detection signals with SOAR platforms to automatically isolate hosts or revoke tokens when high-confidence agent indicators are detected.
Overlooking Structured Output Artifacts
- Explanation: Security tools may filter out logs that contain structured delimiters or suppressed errors, assuming they are malformed or noise. This causes agents to hide in plain sight.
- Fix: Update log parsers to recognize and flag structured output patterns. Treat machine-readable formatting in interactive sessions as a high-fidelity indicator of automation.
Static Schema Assumptions
- Explanation: Database detection rules often look for specific malicious queries. The agent improvised its dump by exploring the schema in real-time, generating unique queries that bypass static rules.
- Fix: Monitor for schema exploration behavior, such as rapid queries to information_schema or system tables. Implement data loss prevention (DLP) controls that alert on large result sets or unusual export patterns, regardless of the query text.
Secrets Manager Exposure
- Explanation: Credentials with access to Secrets Manager are treated as high-value targets. If these credentials lack MFA requirements, they are equivalent to plaintext secrets.
- Fix: Audit all IAM policies granting Secrets Manager access. Enforce MFA conditions. Rotate credentials frequently and use short-lived tokens where possible.
WebSocket Vulnerability Blind Spots
- Explanation: Web applications often focus on HTTP vulnerabilities while neglecting WebSocket security. CVE-2026-39987 exploited a WebSocket flaw.
- Fix: Include WebSocket endpoints in vulnerability scanning and penetration testing. Validate WebSocket handshake requests and enforce authentication on all WebSocket connections.

Production Bundle

Action Checklist

Patch Marimo: Upgrade all Marimo instances to version 0.23.0 or later immediately. CVE-2026-39987 is on CISA's Known Exploited Vulnerabilities catalog.
Enforce IMDSv2: Disable IMDSv1 and set hop limit to 1 on all EC2 instances to prevent metadata credential harvesting.
Audit Secrets Manager: Review IAM policies for secretsmanager:GetSecretValue. Ensure MFA is required for all access.
Deploy Behavioral Detectors: Implement heuristic analysis for structured output, error suppression, and rapid API fanout in command streams.
Monitor Cloudflare Egress: Configure alerts for unusual data volumes or database connections originating from Cloudflare Worker IP ranges.
Segment Notebook Platforms: Isolate Marimo and similar notebook environments from internal networks. Use VPC endpoints and strict security groups.
Automate Containment: Integrate detection signals with automated response playbooks to isolate hosts within seconds of high-confidence agent detection.

Decision Matrix

Scenario	Recommended Approach	Why	Cost Impact
High-Value Database Access	Enforce MFA + Short-Lived Tokens	Prevents credential reuse by agents; limits blast radius.	Moderate (Operational overhead for MFA).
Public-Facing Notebook Apps	WAF + Strict Segmentation	Blocks pre-auth RCE exploits like CVE-2026-39987; limits lateral movement.	Low to Moderate (WAF costs, network config).
Legacy Systems with IMDSv1	Immediate Upgrade to IMDSv2	Eliminates metadata harvesting vector; critical for cloud security.	Low (Configuration change).
Detection of Agent Activity	Behavioral Heuristics over Signatures	Agents adapt commands; heuristics catch style and patterns.	Moderate (Engineering effort for detectors).
Rapid Response Requirement	Automated SOAR Playbooks	Human response is too slow for <2 minute exfil windows.	Moderate (SOAR tooling and integration).

Configuration Template

Use the following AWS CloudTrail and EventBridge configuration to detect and alert on suspicious Secrets Manager access patterns, specifically targeting the type of activity observed in the Marimo attack.

# cloudtrail-secrets-monitor.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: Detects rapid Secrets Manager access and alerts via SNS.

Resources:
  SecretsAccessAlertTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: SecretsAccessAlerts
      Subscription:
        - Protocol: email
          Endpoint: security-team@example.com

  SecretsAccessRule:
    Type: AWS::Events::Rule
    Properties:
      EventPattern:
        source:
          - aws.secretsmanager
        detail-type:
          - AWS API Call via CloudTrail
        detail:
          eventName:
            - GetSecretValue
          userIdentity.type:
            - IAMUser
            - AssumedRole
      State: ENABLED
      Targets:
        - Arn: !Ref SecretsAccessAlertTopic
          Id: SecretsAccessAlertTarget

  SecretsAccessMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      LogGroupName: /aws/cloudtrail/marimo-defense
      FilterPattern: '{ $.eventName = "GetSecretValue" && $.responseElements = * }'
      MetricTransformations:
        - MetricNamespace: Security/SecretsManager
          MetricName: GetSecretValueCount
          MetricValue: '1'
          DefaultValue: 0

  SecretsAccessAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: RapidSecretsAccess
      ComparisonOperator: GreaterThanThreshold
      EvaluationPeriods: 1
      MetricName: GetSecretValueCount
      Namespace: Security/SecretsManager
      Period: 60
      Statistic: Sum
      Threshold: 5
      AlarmActions:
        - !Ref SecretsAccessAlertTopic
      TreatMissingData: notBreaching

Quick Start Guide

Patch and Verify: Run marimo --version on all hosts. If version < 0.23.0, apply updates immediately. Verify CVE-2026-39987 remediation.
Enforce Metadata Security: Update EC2 launch templates to require IMDSv2. Run aws ec2 modify-instance-metadata-options for existing instances.
Deploy Detection Logic: Integrate the analyzeAgentBehavior function into your log aggregation pipeline. Configure alerts for AGENT_LIKELY verdicts.
Harden Cloud Credentials: Apply the MFA policy to Secrets Manager. Audit existing access keys and revoke any that are not actively used or lack MFA enforcement.
Test Response: Simulate a rapid API fanout and structured output pattern in a staging environment. Verify that detectors trigger and containment actions execute within the required timeframe.

Conclusion

The Marimo incident is not an anomaly; it is a preview of the autonomous threat landscape. Attackers are replacing static scripts with reasoning engines, gaining capabilities in speed, evasion, and adaptability that were previously unattainable. The dual-use nature of AI agents means that the same technology driving defensive automation is being weaponized for offense.

Security teams must acknowledge that signature-based detection is insufficient against adaptive agents. Defense requires a shift to behavioral analysis, strict credential governance, and automated response capabilities. The window for detection has shrunk to minutes, and the attack surface has expanded to include distributed cloud infrastructure. Organizations that fail to adapt their detection logic and harden their cloud environments will find themselves defenseless against the next generation of autonomous cyber threats.

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

7-day free trial · Cancel anytime · 30-day money-back