Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Marimo notebook and downstream SSH bastion hit by data theft breach

Incident
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

A Marimo notebook compromise led to credential theft, SSH access, and exfiltration of an internal PostgreSQL database, expanding a single initial intrusion into deeper post-compromise access. The intrusion used CVE-2026-39987 to reach a downstream SSH bastion server through harvested cloud credentials and AWS Secrets Manager. The attack chain was recorded on May 10, 2026 and included eight SSH sessions plus database theft completed in under two minutes at the bastion stage.

Related Happenings

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

How related: The security defect has since come under active exploitation, with threat actors using it to initiate manual reconnaissance against honeypot systems and attempt to harvest sensitive data.

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Open Happening

Marimo pre-authenticated RCE exploited (CVE-2026-39987)

Vulnerability
First: 10.04.2026 10:37 Last: 10.04.2026 10:37 Sources 1

How related: CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4.

About this happening: **Marimo**'s **CVE-2026-39987** now exposes internet-facing **/terminal/ws** instances to **unauthenticated remote code execution**, creating a path to a **full PTY shell** on aff...

Open Happening

Crimson Collective campaign expands across multiple victims

Campaign
First: 08.10.2025 20:33 Last: 08.10.2025 20:33 Sources 1

About this happening: **Crimson Collective** is running an active **AWS cloud extortion campaign** that targets cloud environments to steal data and pressure companies for payment. The operation has be...

Open Happening

Timeline

  1. 29.05.2026 17:39 2 articles · 2h ago

    Unknown threat actor exploits Marimo notebook and exfiltrates PostgreSQL data

    Exploitation Observed

    On May 10, 2026, an unknown threat actor compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials, used the harvested AWS access key to reach AWS Secrets Manager, retrieved an SSH private key, opened eight SSH sessions to a downstream SSH bastion server, and exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes.

    Show sources
    Open in new tab
  2. 29.05.2026 17:39 1 articles · 2h ago

    Sysdig discloses LLM-assisted post-exploitation of a Marimo notebook

    Initial Disclosure

    Sysdig details an intrusion chain in which an unknown threat actor used a large language model agent after exploiting CVE-2026-39987 against a publicly reachable Marimo notebook, stealing cloud credentials, retrieving an SSH private key from AWS Secrets Manager, opening eight SSH sessions to a downstream bastion, and exfiltrating an internal PostgreSQL database.

    Show sources
    Open in new tab