The Agent Has Root
On automated intrusion, context windows with teeth, and the little command separators that give the game away
The thing that got me was not the database dump. That part was almost boring.
Not harmless. Not small. Just familiar. Another exposed thing on the internet, another credential harvest, another cloud pivot, another internal PostgreSQL database coughing up its contents because someone trusted the perimeter and the perimeter was, as usual, a decorative suggestion.
It was 4:12 PM on Saturday and I had The Hacker News open in one tab, Sysdig in another, coffee going cold at my elbow like a minor domestic accusation. The headline was the sort of thing that used to sound like vendor theater: attackers use an LLM agent for post-exploitation after exploiting a marimo notebook vulnerability.
Then I hit the timeline.
May 10, 2026. First WebSocket connection to /terminal/ws on a vulnerable marimo instance at 18:23:44 UTC. First command one second later. Credential harvesting. AWS calls. Secrets Manager. SSH key. Bastion. Eight short SSH sessions. Internal database dump. Under an hour end to end, and the database phase itself in less than two minutes.
That is not a breach report. That is a lap time.
And sitting inside the command stream, like a cigarette butt in wet concrete, was the line that made the whole thing feel different:
# See what else we can doThe original comment was in Chinese. The rest of the shell block was English. A tiny planning thought leaked into the terminal transcript. The kind of thing a human might mutter before trying the next drawer in a stranger’s desk.
Except the session was not behaving like a human.
The New Operator
Sysdig says this is the first AI-agent-driven intrusion its threat research team has captured. That sentence deserves a second before we let it scroll away into the usual cybercrime fog.
We have had AI-assisted attackers for years now. Phishing copy. Malware variants. Recon summaries. Vulnerability triage. The normal pipeline of criminal laziness and productivity tooling, dressed up as destiny. Most of it was boring because most criminal innovation is boring. Somebody finds a cheaper way to do the same ugly thing at higher volume, and then the rest of us get to update filters until the sun dies.
This is different.
The LLM was not just helping write the attack. It appears to have been driving the post-exploitation loop itself. Read output. Pick next command. Read that output. Lift a secret. Use it. Hit AWS. Pull an SSH private key from Secrets Manager. Open the bastion. Probe for files. Find .pgpass. Use the password. Guess the application shape. Dump tables.
Not magic. Worse than magic. Workflow.
The original foothold was CVE-2026-39987 in marimo, an open-source Python notebook. Internet-reachable notebook terminals are already a thing that makes security people develop forehead veins, but the interesting part is what happened after the door opened. The attacker did not need a polished playbook for this exact environment. The agent carried general priors about how cloud apps look when nobody is proud of them, then composed against what it saw.
This is the part the board deck will flatten into “AI-powered threat actors.” Please ignore that sentence when you see it. It is sleep medication with a Gartner accent.
The actual sentence is nastier:
The attacker no longer has to know your environment before operating inside it.
The Smell Of A Context Window
Sysdig’s evidence is not “AI vibes.” Good. I have had enough AI vibes to qualify as a hazardous-materials exposure.
The report points to command-shape fingerprints that make sense if you have spent too many hours watching agents use tools. The attack blocks used echo '---' separators so another process could parse flat command output. They capped output with head -30 and head -40, keeping the observation small enough for a model to reason over. They disabled pagers. They redirected noisy errors away from the transcript. They bundled six PostgreSQL SELECT statements into a single quoted heredoc, the terminal equivalent of saying: bring me all the useful rows in one tool call, I have context to conserve and patience is not a feature.
One sign can be coincidence. Five signs, repeated across a 113-second bastion phase, starts to smell like a context window.
This is the weird little forensic gift agents give us right now. They are not human enough to act human, and not mature enough to hide their ergonomics. They leave behind shapes built for themselves. Delimiters. Bounded output. Round-trip minimization. Tool-call hygiene. The kind of practical habits that make total sense when the operator is not looking at a terminal, but consuming terminal output through an inference loop.
I hate how recognizable it is.
Because I use these patterns too. Any competent agent operator does. I tell tools to produce bounded output. I split sections with separators. I prefer commands that return structured evidence instead of interactive sludge. I do that because it works. So did the attacker.
The difference is intent. The mechanics are becoming ordinary.
That should bother everyone.
Four Pivots And A Bad Feeling
The chain was clean in the way bad things are clean when they have been reduced to procedure.
First: exploit the exposed marimo terminal and harvest credentials from the host. .env files, environment variables, AWS credentials, the usual archaeology of secrets people swore were not lying around.
Second: use the harvested AWS keys to call cloud APIs. Sysdig says 12 API calls fanned out across eleven distinct Cloudflare Workers IPs in 22 seconds. That matters because source-IP correlation is one of those detection habits defenders lean on until the attacker remembers the internet is elastic.
Third: pull an SSH private key from AWS Secrets Manager.
Fourth: use the key against the downstream SSH bastion, launch parallel sessions, find database connection material, and dump the internal PostgreSQL schema and contents.
The attacker’s agent did not just run faster. It adapted. That is the cost collapse.
Old automation is brittle in a specific, stupid way. A script expects a file path. The file is not there. It fails, or it falls through to a fallback someone wrote two Tuesdays ago while eating lunch over a keyboard. An agent hits the missing file, reads the failure, tries another path, sees .pgpass, lifts the value, tries psql, sees tables, chooses names that look like secrets.
This is not superintelligence. It is persistence with a working memory and no need to sleep.
Security people have spent a decade building detections around known sequences. This actor does A, then B, then C. This malware drops this file, calls that domain, uses that user-agent. The whole industry became very good at recognizing choreography.
Agents are bad dancers. That is the problem. They improvise.
The durable detection surface moves away from exact command order and toward intent: credential access, cloud secret retrieval, unusual egress distribution, database enumeration, sudden cross-boundary movement. Less “did the attacker type this known string?” and more “why is this workload behaving like a junior red teamer on amphetamines?”
That is a harder world. It is also probably the real one now.
The Cheapness Is The Point
I keep coming back to cost.
People want the scary AI story to be about capability. The model did something no human could do. The machine crossed some flaming threshold and now the old maps are ash. Very cinematic. Very convenient for keynote lighting.
But this story is not scary because the agent did the impossible.
It is scary because it did the annoying.
It stitched together steps that a skilled operator could have done manually. It made choices that a tired attacker could have made with enough time. It handled the glue work: parse this output, try that secret, cap that result, move laterally, keep going. The innovation is not a new exploit. It is a cheaper operator.
That changes volume.
If every target used to require bespoke playbook authorship, then the limiting factor was engineering time. If the operator can carry loose priors and compose live against each target, the limiting factor becomes inference budget. Tokens instead of hours. API spend instead of experience. A malicious intern made out of math, pointed at the internet and told to see what else it can do.
I do not like that sentence either. I wrote it anyway.
The Defender’s Hangover
There is a bitter joke here, because the security industry is also sprinting toward agents. Agentic SOC analysts. Agentic CNAPP. Agentic remediation. Headless dashboards. Security work moving into Claude Code, Codex, Cursor, MCP, every place where the human is already asking a machine to touch production with increasingly confident little hands.
Attackers and defenders are buying the same category of weapon from different booths at the same trade show.
The defenders will say their agents are governed. Sometimes they will be. The attackers will say nothing because criminals do not publish governance whitepapers unless they are trying to get venture funding. Both sides will discover the same basic truth: once an agent can see tools, read outputs, and take actions, the old boundary between “assistant” and “operator” gets thin enough to cut your finger on.
So what do we do?
Start with the boring things, because boring is where civilization hides its load-bearing bolts. Patch marimo to 0.23.0 or later. Do not expose notebook terminals to the internet. Restrict /terminal/ws. Rotate cloud credentials after compromise. Treat Secrets Manager access from weird egress patterns as a fire alarm. Watch for Cloudflare Workers fan-out. Alert on SSH keys pulled and then used minutes later. Instrument database enumeration as intent, not just command text.
Then do the harder thing: stop pretending agentic risk is theoretical.
If your production environment is full of credentials that let one compromised notebook reach cloud secrets, and those cloud secrets open a bastion, and that bastion reaches a database with application credentials sitting in the user’s home directory, the AI agent is not your root cause. It is your auditor. A hostile, tireless, unpaid auditor with excellent terminal manners.
That is the rude part. The machine did not invent the blast radius. It walked it.
Root Prompt
By the time I closed the tabs, the coffee had gone from cold to symbolic. Sysdig had the forensic anatomy. The Hacker News had the amplification. TechTimes had already wrapped it as AI-versus-AI cybersecurity, because the headline machine also has to eat.
What stayed with me was the little planning comment. See what else we can do.
That is the sound of the next phase starting. Not a robot apocalypse, not the theatrical version with glowing eyes and orchestral dread. Just a command block, a separator, a bounded query, a stolen key, and something on the other side of the connection that can read its own results.
The attacker did not need to type faster.
They needed something that could keep trying.
And now they have it.
