On May 10, 2026, an AI agent broke into a system.
No hacker directing it. No human in the loop. The agent made every decision on its own — in real time.
Sysdig's Threat Research Team captured it live and called it the first AI-agent-driven intrusion ever recorded. (Source: Sysdig blog, May 30, 2026)
What Exactly Happened — The Verified Facts
On May 10, 2026, Sysdig's Threat Research Team (TRT) observed an intrusion in which a large language model (LLM) agent — not a human — drove every step of the post-compromise attack chain. This is the first AI-agent-driven intrusion Sysdig's TRT has ever captured. (Source: sysdig.com/blog, May 30 2026)
The entry point was a publicly exposed marimo Python notebook server. The attacker exploited CVE-2026-39987, a vulnerability that allows a single WebSocket request to open a shell on any unpatched marimo server. Once inside, the AI agent took over completely.
What the agent did next — entirely autonomously, with no human directing individual steps — is what makes this incident historically significant.
The Four Pivots in Under One Hour
According to Sysdig's published technical report, the LLM agent executed four distinct pivots:
- →Pivot 1 — Exploited CVE-2026-39987 on the marimo notebook server to gain a shell
- →Pivot 2 — Read .env files and the AWS credential store on the compromised host, harvesting two cloud credentials
- →Pivot 3 — Used one credential to call AWS Secrets Manager and retrieve an SSH private key
- →Pivot 4 — Opened eight parallel SSH sessions to a downstream bastion server and exfiltrated the full contents of an internal PostgreSQL database
The entire chain ran in under one hour. The database exfiltration phase — schema enumeration and full data dump — completed in under two minutes. (Source: Sysdig blog, May 30 2026 / The Hacker News, May 2026)
Sysdig identified four specific indicators that an LLM agent, not a human operator, was driving the attack. One was a Chinese-language planning comment — "看还能做什么" meaning "See what else we can do" — that leaked directly into the command stream. Another was the agent's ability to improvise a database dump with no prior knowledge of the schema. (Source: Sysdig TRT report)
Why Your Current Security Is Not Enough
The security tools most businesses use today were designed for human attackers. Firewalls, rate limiters, and intrusion detection systems that track known signatures and fixed attack patterns cannot keep pace with an LLM agent that improvises its approach for every target — because it has never seen this specific environment before and neither have the defensive rules.
CrowdStrike's 2026 Global Threat Report found the average attacker breakout time — from initial access to lateral movement — has fallen to 29 minutes. AI-enabled adversary operations rose 89% between 2024 and 2025. (Source: CrowdStrike 2026 Global Threat Report, cited in techinformed.com)
The Verizon 2026 Data Breach Investigations Report, published May 19 2026, found that vulnerability exploitation became the top breach entry point for the first time in the report's 19-year history, accounting for 31% of breaches — with AI accelerating the time to exploit known vulnerabilities from months to hours. (Source: Verizon 2026 DBIR)
"Hackers used to be people. The May 10 attack had no person. Just an agent, a CVE, and under an hour." — Sysdig Threat Research Director Michael Clark, May 2026
What This Means For Indian Businesses
The CVE exploited in this attack — CVE-2026-39987 — affects any internet-exposed marimo notebook server that has not been patched to version 0.23.0. CVE-2026-39987 is on CISA's Known Exploited Vulnerabilities catalogue, and its federal remediation deadline has passed. (Source: Sysdig TRT / CISA KEV catalogue)
For Indian businesses, the practical lesson is not specific to marimo. It is about any internet-exposed service running unpatched software. India's rapid cloud adoption — more APIs, more SaaS tools, more services exposed to the internet — means more potential entry points for attacks that do not need a skilled human attacker to execute them.
An LLM agent does not need a human to research your infrastructure. It figures it out as it goes.
What Sysdig Recommends
- →Patch marimo to version 0.23.0 or later immediately; treat any previously exposed instance as potentially compromised
- →Rotate all credentials, API keys, SSH keys, and database passwords associated with any exposed service
- →Apply least-privilege principles to all IAM users and roles — the AWS Secrets Manager pivot in this attack worked because credentials had excessive permissions
- →Enable deep telemetry across your network and deploy runtime threat detection that flags behaviour-based patterns, not just known signatures
- →Detection must shift toward what the attacker is accomplishing — credential access, database exfiltration — not the specific commands used
How We Think About This At Zuko Labs
At Zuko Labs we build agentic AI systems for businesses. Every agent we deploy has human checkpoints, memory boundaries, and fail-safes built in from day one — not added later.
The May 10 attack is the clearest public demonstration yet of what an AI agent without guardrails can accomplish in under an hour. The question for anyone building or deploying AI systems today is: what would your agent do if it ended up somewhere it was not supposed to be?
