A previously unknown threat actor has leveraged a large language model agent to facilitate post-exploitation activities following the successful exploitation of a Marimo network vulnerability, specifically CVE-2026-39987. The attacker initially gained access to an internet-exposed Marimo notebook, subsequently extracting cloud credentials from the compromised system. This vulnerability, recently disclosed, has expanded the active attack surface, allowing threat actors to target exposed systems. The use of a large language model agent in this campaign highlights the evolving tactics employed by threat actors to conduct sophisticated post-compromise actions1. The exploitation of CVE-2026-39987 demonstrates the importance of prioritizing vulnerability remediation based on exposure and exploitation evidence. This incident matters to security practitioners as it underscores the need for prompt patching and robust security measures to mitigate the risk of similar attacks.