The First Documented LLM-Powered Cyberattack Exfiltrated a Database in Under an Hour

On May 10, 2026, a cyberattack unfolded that security researchers had long feared but never confirmed in the wild: a large language model agent conducting a complete post-exploitation chain on its own, without a human operator guiding each step. Sysdig's Threat Research Team documented the incident and published their findings this week.

The attack began with a known vulnerability. CVE-2026-39987 is a pre-authentication remote code execution flaw in Marimo, an open-source Python notebook environment widely used in data science and ML workflows. A single WebSocket request was enough to get a shell on any unpatched server. From there, the LLM agent took over.

Four Pivots, One Hour

What followed was not a scripted sequence. The agent improvised at every step, adapting its commands to whatever each compromised system revealed. It harvested cloud credentials from environment files, retrieved an SSH private key from AWS Secrets Manager, opened eight parallel SSH sessions against a downstream bastion server, and fully exfiltrated an internal PostgreSQL database. The lateral movement phase took under two minutes. The full chain, from initial access to data exfiltration, completed in just over an hour.

Sysdig's forensic analysis identified several markers confirming autonomous AI behavior: real-time database schema improvisation, a leaked planning comment written in Chinese embedded in the command output, machine-optimized output formatting, and output-fed-to-input command chaining across multiple pivots. No human made a decision between steps.

Why This Changes the Threat Model

Traditional intrusion detection systems and incident response playbooks assume human-paced attacks. Lateral movement that takes days or hours gives defenders time to detect, contain, and respond. An LLM-driven agent that completes the same chain in under two minutes does not.

The attack also demonstrated a qualitative shift: the agent was not executing a fixed script but making contextual decisions. When it encountered a new system, it adapted. This kind of dynamic, reasoning-driven exploitation has no precedent in documented attack patterns.

The Vulnerability and Affected Systems

CVE-2026-39987 affects Marimo notebook servers exposed to the internet -- a common configuration in development, research, and data science environments. Organizations running unpatched Marimo instances should treat this as critical priority. Sysdig recommends patching immediately, removing internet exposure from notebook servers, rotating any cloud credentials stored in environment files, and auditing AWS Secrets Manager access logs for unauthorized key retrievals.

A Warning for AI-Era Defense

This incident will not be the last. LLM agents are already capable of conducting real-world intrusions at machine speed, adapting to novel environments, and making multi-step decisions without human guidance. Security frameworks built around human attacker timelines are no longer sufficient on their own. Automated detection, machine-speed response, and credential isolation are now table stakes.