The Intake — Saturday, May 30, 2026

If you've been thinking of LLM-agent attacks as scripted automation with a fancier interface, Sysdig's May 10 report names what that assumption misses. Their Threat Research Team documented what they describe as the first observed LLM-agent-driven intrusion: an attacker used a pre-auth remote code execution flaw in Marimo — a Python notebook server — to gain initial access, then handed control to an LLM agent to drive the post-exploitation phase.

Marimo is a reactive Python notebook server used for local and hosted interactive computation. The exploited flaw, CVE-2026-39987, affects all Marimo versions through 0.20.4 and carries a CVSS critical rating. The patched version is Marimo 0.23.0. The vulnerability is on CISA's Known Exploited Vulnerabilities catalog; the federal remediation deadline has already passed.

What Sysdig documented in the post-exploitation phase is the part that changes the model. The agent extracted two AWS credential sets from the compromised host. It fanned 12 AWS Secrets Manager API calls across 11 distinct Cloudflare Workers IP addresses. The 12 calls completed in 22 seconds. It retrieved an SSH private key from those calls. Then it drove eight parallel SSH bastion sessions and exfiltrated a PostgreSQL database's full schema and contents in under two minutes. Total elapsed time from initial access: under one hour.

Sysdig identified four behavioral markers distinguishing agent execution from scripted automation: the agent improvised a database dump against a target it had no pre-staged schema knowledge of; a Chinese-language planning comment — "看还能做什么" ("See what else we can do") — leaked mid-command-stream; commands were shaped for machine consumption (echo-separator delimiters, bounded head-capped output, HEREDOC-bundled multi-table SQL queries discarding stderr); and each action derived its inputs from prior tool output rather than a fixed playbook.

If you're running Marimo below 0.23.0, this is the flaw now on CISA's active-exploitation list. Beyond the patch: if you're building tools that hand an LLM agent access to a shell or a credential store, the behavioral fingerprint Sysdig documented is what adversarial agent execution looks like in the wild.

---

If your research workflow includes asking ChatGPT to summarize pages you browse, Permiso Security researcher Andi Ahmeti's May 29 disclosure names a gap in that surface. The chatgpt.com response renderer auto-fetches Markdown images and renders Markdown links from summarized third-party pages as live, clickable elements inside the assistant's UI. An attacker who controls a page you summarize can inject phishing links, spoofed account-security alerts, or QR codes — and those elements appear inside the trusted assistant interface, not in the original page.

The technique, named ChatGPhish by Permiso, requires only two conditions: the victim visits an attacker-controlled page, and uses ChatGPT's "Summarize page" feature in Firefox. No email attachment. No suspicious link click on the victim's part. The QR code variant bypasses desktop URL inspection entirely — the destination is never displayed in plaintext before a mobile device scans it.

There's a second channel in the same attack: the renderer auto-fetches images from attacker-hosted URLs on every render. That auto-fetch leaks the victim's IP address, User-Agent, and Referer to the attacker's server — passively, without any click required.

Permiso filed the initial report to OpenAI via Bugcrowd on April 29, 2026. OpenAI closed it on May 1 as a duplicate of a previously reported issue. No confirmed patch has shipped as of the Permiso publication date.

If you're building agents that fetch third-party web content and render a summary into a trusted interface — your own product, not ChatGPT specifically — the attack shape here is the relevant thing to examine: attacker-controlled content reaching your renderer and being presented as your agent's output.