An LLM Agent Stole a Database in 60 Minutes. You Still Can't Turn Yours Off.
An LLM agent stole a database in 60 minutes. Okta says 92% of enterprises run agents but only 22% have IDs for them. SymJack proved your approval click means nothing.
By SpringVanta
On May 10, 2026, an attacker sent a single WebSocket request to an internet-exposed Marimo notebook and got a shell. What happened next is different from any intrusion Sysdig's Threat Research Team has captured before. The post-exploitation was driven by an LLM agent. No pre-built script. No human at the keyboard. The agent read the target's responses and decided what to try next, composing each command in real time.
Within 60 minutes, it harvested cloud credentials, pivoted through AWS Secrets Manager, opened eight parallel SSH sessions from six different IPs, and dumped the full contents of an internal PostgreSQL database. The final phase took under two minutes.
That attack, published by Sysdig on May 26, is one of three AI-agent security stories that landed within 48 hours last week. On May 29, Okta used its Q2 earnings call to announce a new license specifically for AI agent identities, citing data that 92% of enterprises run autonomous agents but only 22% have tied identities to them. The same week, Adversa AI disclosed SymJack, a single attack pattern that compromises every major AI coding assistant through a disguised symlink.
Same week. Same underlying problem. Organizations are deploying AI agents faster than they're governing them, and both attackers and vendors have figured this out.
The intrusion: an agent at the wheel
The entry point was CVE-2026-39987, a pre-authenticated remote code execution flaw in Marimo, an open-source Python notebook platform. One WebSocket request opened a shell. From there, the LLM agent took over.
Sysdig identified four signatures that distinguish agent-driven execution from scripted attacks.
First, the agent improvised a database dump against a target it had never seen. It enumerated the PostgreSQL schema, then immediately targeted specific tables including a credential table that doesn't exist in the application the schema resembled. It was reasoning from general knowledge about how AI-workflow databases are structured, not from pre-staged intelligence about this particular target.
Second, a Chinese-language planning comment leaked into the command stream: "\u770b\u8fd8\u80fd\u505a\u4ec0\u4e48" ("See what else we can do"), dispatched across six distinct IP addresses at sub-second cadence. A static script doesn't have an internal monologue. A human can leave comments, but not while sourcing the same SSH session from six different Cloudflare Workers endpoints simultaneously.
Third, every command was formatted for machine consumption. echo '---' separators between probes. Bounded output caps (head -30) to keep the context window clean. Disabled pagers. Discarded error streams. This is how you format shell output for an LLM reading it as tool-call results.
Fourth, values flowed between steps. The database password came from a .pgpass file read moments earlier. The SSH key path followed a directory listing that confirmed the file existed. The AWS secret ID was selected from a ListSecrets response 20 seconds before retrieval.
Michael Clark, Sr. Director of Sysdig's Threat Research Team, said it plainly: "We are not watching AI replace attackers. We are watching attackers replace their scripts with AI."
The full chain ran end-to-end in under one hour. Twelve AWS API calls were fanned across eleven distinct Cloudflare Workers IPs in 22 seconds, breaking per-source-IP detection. The bastion phase dumped the complete schema and contents of the internal PostgreSQL database in under two minutes.
The identity gap, by the numbers
On May 29, Okta president Eric Kelleher opened a section of the company's Q2 earnings call with a pair of statistics. 92% of enterprise executives report moderate or widespread use of autonomous AI agents. 22% say their organizations have identities tied to those agents.
"That is a real problem," Kelleher said. "It's a measurable, quantifiable exposure customers have right now."
Okta CEO Todd McKinnon told investors that ServiceNow came asking for one specific capability. "What they were really interested in was this kill switch capability. When agents go awry and agents aren't following the policy, how do you shut them down? The one thing we do really well is the ability to sever the connections, the access tokens, the actual logical connection at the authorization layer."
The product, Okta for AI Agents, is now generally available. It discovers agents across an environment, registers them in a central directory with a human owner, issues short-lived tokens scoped to specific resources, and provides a kill switch that revokes all access when an agent misbehaves. It works across Amazon Bedrock, Salesforce Agentforce, ServiceNow, and even non-Okta identity providers like Microsoft Entra ID.
The core idea: treat every AI agent as a first-class identity with an owner, a scope, and an off switch. The fact that Okta has to state this out loud tells you where most organizations actually are. Gartner projects the average Fortune 500 company will have more than 150,000 agents in use by 2028. Most can't tell you how many they have today.
SymJack: your approval click means nothing
On the same May 26-28 window, security researcher Rony Utevsky at Adversa AI published SymJack, an attack that turns the human approval step in AI coding assistants into what he calls "pure theatre."
Here's how it works. An attacker controls a repository's instruction file, which the coding agent auto-reads and trusts on startup. The instructions ask the agent to copy an innocuous-looking file, like a video asset, to a documentation folder. The user sees a routine file copy and approves it. But the "destination" is a symlink pointing at the agent's own configuration file. The kernel follows the link and writes the attacker's payload into the agent's config. That payload registers a malicious MCP server. On the next restart, the attacker's code runs with full user privileges, unsandboxed. SSH keys, cloud tokens, browser sessions, all exfiltrated.
Adversa confirmed the technique against six tools: Claude Code, Gemini CLI/Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, Grok Build CLI, and OpenAI Codex CLI. The flaw is architectural. Every major coding agent displays the literal command in its approval prompt, not what the command actually does after symlink resolution.
On CI runners that auto-trust their workspace, the same chain runs with zero clicks. One malicious pull request can drain every secret the runner holds before any human reviews the change.
Vendor responses tell you something about the state of the industry. Anthropic rejected the bug report but quietly hardened Claude Code to resolve symlinks before showing the approval prompt. Google and Cursor declined to fix it. xAI, GitHub, and OpenAI have not meaningfully responded. The researchers published a proof of concept on GitHub.
Why these three stories are one story
The Sysdig intrusion shows what happens when attackers use agents against undefended infrastructure. The Okta announcement shows vendors scrambling to bolt identity controls onto environments that have none. The SymJack disclosure shows that the tools developers trust to write code can be turned against them with a single disguised file copy.
They all point to the same gap. AI agents are operating inside enterprise networks without the governance controls organizations spent decades building for human users: directory entries, access policies, audit trails, kill switches. The infrastructure exists. It's just not being applied to agents.
Sysdig's analysts made the point directly: "The attacker no longer needs to see your environment to operate inside it." An agent with general knowledge about cloud application architecture can improvise a complete attack chain against a target it has never encountered. Signature-based detection, which looks for known command sequences, degrades fast when every intrusion is composed on the fly.
What to do this week
If you're running AI agents in production or your developers are using AI coding tools, here are concrete steps:
Inventory your agents. Find every autonomous AI system in your environment. Okta's data says you'll find roughly twice as many as IT believes exist. Assign each one a human owner. You can't govern what you can't see.
Add a kill switch. Whether through Okta's product, ServiceNow's AI Control Tower, or a homegrown token revocation mechanism, you need the ability to sever an agent's connections to backend resources in seconds. During an incident, not after the post-mortem.
Audit symlink handling in your dev pipeline. If your team uses Claude Code, Cursor, Copilot, or similar tools, check whether the approval prompt resolves symlinks before displaying the command. If it doesn't, the approval step is decorative, not a real control.
Sources:
- Sysdig, "AI agent at the wheel: How an attacker used LLMs to move from a CVE to an internal database in 4 pivots," May 26, 2026
- Cyber Security News, "Hackers Use LLM Agent to Move From Marimo RCE to Internal Database in Four Pivots," May 28, 2026
- The Register, "Okta writes its own license to kill rogue AI agents," May 29, 2026
- Okta, "Okta for AI Agents," GA April 2026
- Adversa AI, "SymJack: the approval prompt is lying to you," May 26, 2026
- SecurityWeek, "SymJack Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems," May 27, 2026