Lead story
The AI-Assisted Hack: When the LLM Does the Post-Breach Heavy Lifting
Something shifted this week in how we should think about AI and cyberattacks. Not AI-generated phishing lures — we've had those for a while. Not AI-written malware. Something more consequential: an attacker who used a large language model agent to conduct post-exploitation activity after breaking into a system. Automatically. At machine speed.
Here's what happened. Researchers observed a threat actor exploit a recently disclosed vulnerability in Marimo — a Python notebook environment increasingly popular with data scientists and AI developers — tracked as CVE-2026-39987. The bug gave them initial access to an internet-facing Marimo instance. That's not unusual. What came next is.
Rather than manually digging through the compromised environment, the attacker deployed an LLM agent to do the reconnaissance. The agent extracted two sets of cloud credentials from the compromised notebook, then proceeded to enumerate what those credentials could access. The whole post-compromise chain — find the secrets, understand the environment, identify what to pivot to next — was handed off to the model.
Think of it like hiring a very fast, very thorough contractor to rob a house while you go for coffee. The attacker provided the initial foothold; the LLM did the methodical work of figuring out what was valuable and where to go next.
Why this matters more than another AI-lure story. The industry has largely treated AI-assisted attacks as a "before the breach" problem — better phishing, better social engineering, faster initial access. This incident suggests the threat is also deeply a "during and after" problem. Post-exploitation has traditionally been slow, requiring skilled operators who understand cloud environments, IAM policies, credential scopes, and lateral movement paths. LLM agents can compress that expertise gap significantly.
For defenders, this changes the urgency calculus on a few things. First, secret sprawl in notebooks and development environments is now a higher-priority target than it might have seemed — Marimo notebooks, Jupyter instances, and similar tools are often internet-accessible and often contain embedded credentials. Second, detection windows shrink when the attacker's post-breach activity moves at inference speed rather than human speed. The gap between "initial access achieved" and "cloud environment enumerated" may now be minutes, not hours or days.
Marimo is worth knowing. It's a reactive Python notebook environment — think Jupyter with more interactivity — that's been gaining traction among ML engineers and data teams. It's exactly the kind of tool that ends up running in cloud environments with broad permissions attached, because the people using it are focused on their models, not their attack surface.
There's no patch for CVE-2026-39987 confirmed as widely deployed yet, so any organisation running internet-accessible Marimo instances should be treating this as a live threat.
Watch for: Whether other threat actors adopt this playbook quickly — the tooling to deploy an LLM as a post-exploitation agent is not exotic. If one group worked it out, others will follow. The more important question is how long it takes detection tooling to catch up to agents that move faster and more methodically than human operators. Australian organisations running data science infrastructure in cloud environments — particularly those in financial services, research, and government — should be auditing what credentials are embedded in their notebook environments now, not after an incident.