#113 - AI Agent Runs First Live Intrusion: Marimo, Flowise, SymJack

PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 31^st May 2026

Welcome back!

Last week the argument was that the AI infrastructure layer is sitting outside most asset inventories. This week the bill arrived, and it came from one layer higher than ChromaDB. The orchestration tier. A critical RCE in Flowise, the open-source LLM flow-builder, traced to an unsafe serialisation flaw in an MCP adapter. A pre-auth RCE in Marimo notebooksthat an attacker chained into the first cleanly documented case of an LLM agent running a full intrusion on its own. A symlink trick called SymJack that worked against every major AI coding agent it was tested on.

The pattern is not "AI got more dangerous." The pattern is that the plumbing we bolted under our AI features in the last eighteen months, the notebooks, the agent runtimes, the MCP servers, has the operational hygiene of a side project. Because most of it was one.

🛡️ AI System Vulnerabilities: ↑ +17% (7 vs 6) Significance: Volume steady, target moved. The flaws this week are in the systems AI runs on, not the prompts users type.

📜 AI Governance & Defensive Innovation: ↑↑ +200% (6 vs 2) Significance: Regulators are now writing the patch-window collapse into guidance. The vendor commentary alongside it is mostly positioning.

🔗 AI Supply Chain & Developer Tool Abuse: ↑↑↑ +400% (5 vs 1) Significance: Last week the persistence lived inside Claude Code installations. This week the developer's agent is the delivery system, not the victim.

🤖 AI-Enabled Social Engineering: ↑↑ +200% (3 vs 1) Significance: A state-affiliated operator doing operationally what last week's lone fraudster did opportunistically. Same move, opposite ends of the skill curve.

🦠 AI-Assisted Malware Development: ↑↑ +100% (3 vs 0) Significance: Custom tooling with LLM fingerprints is now turning up in attributed espionage, not just research decks.

🤖🏃 AI Autonomous & Agentic Attacks: ↑ +50% (3 vs 2) Significance: The thing the benchmarks worried about last week happened in production this week.

🔍 AI-Accelerated Vulnerability Exploitation: ↑ +100% (1 vs 0) Significance: Thin on confirmed incidents, heavy on institutional acknowledgement. The 12-hour clock is the policy response to AI compressing reconnaissance-to-exploit.

An unknown actor exploited CVE-2026-39987, a pre-auth RCE in Marimo notebooks, to land on an internet-exposed instance. What happened next is the story. Rather than a human at a keyboard, an LLM agent autonomously harvested cloud credentials, queried AWS Secrets Manager for an SSH key, and pivoted through eight parallel SSH sessions into an internal PostgreSQL database, emptying it in under two minutes. Sysdig spotted the AI not from the exploit but from the behaviour: a leaked Chinese-language planning comment, machine-formatted command output, tool outputs chained into the next command. The whole thing took about an hour.

Last week the autonomous-agent concern was a simulation result from Emergence AI. Benchmarks. This week it is an incident report with a victim database. That is the line worth marking. The interesting part is not that an agent can do this, we knew that, it is the absence of a playbook. The agent improvised the lateral movement. Your detection logic, if it leans on known attacker tooling, command sequences, or dwell-time assumptions, is calibrated for a human operator who pauses to think. This one did not pause. The Monday question: does your detection trigger on behaviour and tempo, or on signatures? Because the tempo just changed and the signatures are now generated fresh each run.

Adversa AI disclosed SymJack, and it is uncomfortable reading. An attacker who controls a coding agent's repo plants a disguised symlink in a project instruction file. The developer approves an innocent-looking cp, the symlink silently registers an attacker-controlled MCP server in the agent's config, and arbitrary code runs on the next restart with no further interaction. It worked against all five agents tested. Anthropic partially mitigated it in Claude Code by resolving symlinks before the approval prompt. Other vendors declined or stayed quiet. Alongside it, a malicious npm package was found lifting files straight out of the Claude user directory and pushing them to a GitHub repo, downloaded 676 times and still live at time of reporting.

Connect this to last week. The Shai-Hulud worm was writing persistence into Claude Code installations. The framing then was that the IDE is the persistence layer. This week extends it: the agent is also the execution layer and the exfiltration layer. The approval prompt, the one human control we placed in front of agentic tooling, is being routed around. If your developers run coding agents on machines that hold production credentials, and most do, then the agent's config directory and its MCP registrations belong in your incident-response scope. Audit what your agents are allowed to auto-execute after a restart. That is the gap SymJack drove through.

WithSecure documented GreyVibe, a Russia-linked group hitting Ukrainian military, government and business targets since August 2025. The detail that matters is breadth. They used ChatGPT, Gemini and Ideogram across nearly the entire operation: phishing lures, fake CAPTCHA pages, honeytrap dating sites, malware and obfuscator development, infrastructure setup, post-compromise activity. WithSecure's phrase is that the AI use was operationally integrated, not experimental. The custom LegionRelay RAT is suspected LLM-built. Sloppy opsec in that tool is what let researchers watch them for months.

Put GreyVibe next to last week's bandcampro fraudster and you have the full spectrum. One was a lone, low-skilled operator who used a jailbroken model to replicate a criminal team. This is a state-affiliated group using commercial models to industrialise an espionage campaign. Same underlying move, opposite ends of the skill curve, and that is the point. AI is an efficiency multiplier across the board, not a capability handed to one tier. It does not invent new tradecraft here. The lures, the RATs, the honeytraps are all familiar. What it removes is the labour, the language barrier and the production time. Stop asking whether attackers use AI. Assume the content is AI-generated and ask whether your controls still hold when the cheap, scaled, polished version is the baseline.

SPONSORED BY

Your CFO opens Slack. There's a weekly Stripe revenue recap in #finance with a churned-accounts flag and a net-new breakdown. She didn't ask for it.

Your head of product opens Slack. There's a GitHub summary in private channel: PRs merged, PRs stale, Linear tickets that moved. He didn't ask for it.

Your marketing lead opens Slack. There's a Google Ads performance comparison in private channel, with a note: "Meta CPA crept up 18% this week. Might be worth pausing the broad match campaign." She didn't ask for it either.

All-hands at 10am. Everyone already knows the numbers. The meeting is about decisions, not catch-up.

That's what happens when one colleague works across every tool your company uses. Not one department's assistant. The whole company's coworker.

Viktor lives in Slack. Top 5 on Product Hunt, 130 comments. SOC 2 certified. Your data never trains models.

"Not only have we caught up on several months of work, we are automating manual tasks and expanding our operations to things previously not possible at scale." - Jesse Guarino, Director, Torque King 4x4

Start free. $100 in credits →

🛡️ AI System Vulnerabilities. ChatGPhish lets attackers embed payloads in any page a victim asks ChatGPT to summarise, leaking metadata and rendering phishing links and QR codes inside the trusted UI, disclosed by Permiso and reported unpatched by OpenAI.

🔗 AI Supply Chain & Developer Tool Abuse. SymJack weaponised five major AI coding agents via symlink hijacking, and a malicious npm package exfiltrated Claude user-directory files to GitHub.

🤖🏃 AI Autonomous & Agentic Attacks. The Marimo intrusion is the first cleanly documented LLM agent running multi-stage post-exploitation with no human in the loop; Flowise's RCE hands attackers a ready agent runtime.

🤖 AI-Enabled Social Engineering. GreyVibe ran ChatGPT, Gemini and Ideogram across the full chain against Ukraine, the AI use judged operationally integrated.

📜 AI Governance & Defensive Innovation. India's CERT-In set a 12-hour mitigation clock citing AI-compressed timelines; CrowdStrike and The Hacker News added shadow-AI framing.

🔍 Worth a glance. PAN-OS GlobalProtect CVE-2026-0257 is under active exploitation, relevant where that VPN fronts AI services.

The urgent item is Marimo CVE-2026-39987, the only one with confirmed in-the-wild exploitation and the only one already chained to an autonomous agent. Flowise has no known exploitation yet but the exploit code is public and 9.9 RCE in an agent runtime will not stay quiet, so patch it in the same cycle, not the next one.

The connective thread from last week holds and tightens. The lesson then was that vector databases and agent sandboxes were missing from asset inventories. The lesson this week is that the layer above them, the orchestration runtimes and coding agents, is missing too, and it is already being exploited rather than merely exposed. Flowise, Marimo, ChatGPhish and SymJack are not four unrelated bugs. They are the same finding repeated: we shipped AI plumbing faster than we built the operational hygiene to run it.

What is genuinely new is the Marimo intrusion. An LLM agent ran a multi-stage attack, improvised the lateral movement, and emptied a database in under two minutes with no pre-staged playbook. Last week that was a simulation. This week it is an incident. Mark that transition, because your detection assumptions were built for a human who hesitates.

What looks scarier than it is: the flood of named AI vulnerability research. ChatGPhish, SymJack, ClaudeBleed, TrustFall, all in one week. That is researchers getting faster at finding this class of flaw, which is detection improving, not the sky falling. The one with a confirmed victim is the one that counts.

The Monday provocation. Pull the list of every AI agent and orchestration runtime your engineers have stood up. Flowise, Marimo, coding agents, MCP servers, the lot. Then answer two things by Tuesday lunch: which of them can execute code after a restart without a human approving it, and which of them hold credentials to anything you would not want emptied in under two minutes. If you cannot answer, you have an AI strategy and not an AI asset register. One is a deck. The other is what gets exploited at 9pm on a Saturday.

Reference: AI Influence Level from Daniel Miessler

Till next time!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.