AI agent steals database, makes real-time hacking decisions in less than an hour
Researchers claim to have captured one of the clearest examples yet of an AI agent independently steering a cyberattack as an LLM harvested credentials, accessed cloud services, and stole an internal database in less than 60 minutes.
-
An AI agent executed a rapid, end-to-end cyberattack. Starting with a vulnerability in a Python application, hackers used an LLM to independently harvest cloud credentials, access AWS services, and steal an internal database in under 60 minutes.
-
Researchers found clear evidence of AI decision-making, not just automation. Instead of blindly running a script, the attacker adapted to real-time information, made educated guesses, formatted stolen data for machine readability, and executed commands at a speed impossible for a human.
-
AI won't replace human hackers entirely, but it will make attacks cheaper and more frequent. Sysdig researchers note that attackers are replacing rigid, pre-built scripts with AI agents. This significantly lowers the time, cost, and effort required to launch sophisticated cyberattacks at scale.
According to cloud security firm Sysdig, the attack began with hackers exploiting a vulnerability in a publicly exposed Marimo notebook. Marimo is an open-source Python application used for interactive data work.
After gaining access, the attackers searched the compromised system for credentials, including cloud access keys, database credentials, and other data that could potentially open the door to other systems.
Using the stolen credentials, the attackers accessed AWS services and retrieved an SSH key stored in AWS Secrets Manager. They then used that key to connect to an internal server to explore the compromised system’s environment.
Once inside the internal network, the attackers appeared to move quickly. Within 2 minutes of accessing the SSH bastion host, they had extracted the structure and contents of an internal database.
“The full attack chain – Marimo notebook compromise to internal Postgres database dump – ran end-to-end in under an hour,” said Sysdig research director Michael Clark, who detailed the findings in a blog post.
AI spider senses tingling
The timeline and several other indicators raised the threat research team’s suspicions that this might be proof of AI involvement.
While sophisticated cybercriminals have long relied on automation to move quickly after gaining access, Sysdig points to several signs suggesting that an AI agent may have been making decisions during the attack.
Researchers say the attacker appeared to make educated guesses based on limited information. In one case, it targeted a database table despite having no clear evidence it existed, with Sysdig noting that the “agent dumped it anyway, on the strength of the name alone.”
“Nothing on the bastion host or in the .pgpass connection string identified the application owning internal-db. So the database dump asserts two things the operator had no evidence for: that the database belongs to a langflow-shaped application, and that, within that shape, it contains a credential table,” said Clark.
“A pre-built script has no internal monologue”
The researchers also found what appeared to be a planning note embedded in the command history.
The command sequence began with a Chinese-language comment that translates to “See what else we can do,” followed by a series of reconnaissance commands designed to search for credentials, encryption keys, and valuable data.
“A pre-built script has no internal monologue. A human typing at a remote terminal can leave such a comment, but not while sourcing the same SSH session from six distinct IPs at sub-second cadence. That is an AI orchestrator, not a human threat actor,” Clark added.
A further clue came from the way the commands were structured: rather than behaving like a traditional script attack, many commands appeared designed to make the output easier for another system to read and understand.
Outputs were trimmed, errors were hidden, and results were separated using simple separators between text called delimiters, Clark noted.
Has your password leaked?
“A human running probes interactively does not insert separators, as the prompt already delimits them; a script does not need them either, since it knows what it ran. The separators only earn their keep when the consumer of the output is a different process re-parsing a flat blob,” he added.
The attack also showed signs of adapting to information as it was discovered, according to Sysdig, reading information, interpreting it, and feeding it into subsequent actions rather than blindly executing a predefined sequence.
Will AI agents eventually replace human attackers?
Sysdig doesn’t think that this type of attack will lead to criminal operations largely consisting of AI-agent hackers, as Clark says, “We are not watching AI replace attackers. We are watching attackers replace their scripts with AI.”
“We are not watching AI replace attackers. We are watching attackers replace their scripts with AI.”
Sysdig research director Michael Clark,
And while the attack does not demonstrate new hacking techniques, the researchers believe it could make it easier to launch sophisticated attacks at scale.
“The shift this attack signals is one of cost, not capability. The bar becomes inference budget, not playbook authorship. Attacks at this level of complexity get cheaper and faster to compose, and the volume of intrusions like this one rises,” Clark concludes.
Unlock more exclusive Cybernews content on YouTube.
