Exploitation of CVE-2026-39987 in Marimo: A Multi-Stage Attack Campaign Targeting AI/ML Developer Infrastructure
Threat actors are actively exploiting CVE-2026-39987, a critical pre-authentication remote code execution (RCE) vulnerability in the marimo Python notebook platform, to deploy a new variant of the NKAbuse backdoor hosted on Hugging Face Spaces. This campaign represents a sophisticated, multi-stage attack specifically engineered to compromise AI and machine learning developer environments by leveraging their inherent access to sensitive credentials, SSH keys, and internal data pipeline infrastructure.
The attack chain combines several technical components: unauthenticated RCE exploitation, automated credential harvesting from environment variables, lateral movement into database and caching infrastructure, and command-and-control (C2) communication via the NKN blockchain protocol—a resilient, decentralized channel that presents significant detection and blocking challenges for defenders.
Vulnerability Details and Timeline
CVE-2026-39987 is a critical pre-authentication remote code execution flaw in the marimo notebook environment that permits unauthenticated attackers to execute arbitrary commands on exposed instances without requiring valid credentials or prior authentication. The corresponding GitHub Security Advisory (GHSA-2679-6mx9-h9xc) was published on April 8, 2026. Exploitation began within less than 10 hours of public disclosure, underscoring the minimal temporal buffer available to defenders following the release of technical vulnerability details.
Between April 11 and 14, 2026, Sysdig’s Threat Research Team (TRT) documented hundreds of distinct exploitation events originating from more than ten threat actor IP addresses. Activity ranged from simple single-stage RCE validation checks to extended multi-hour interactive sessions. The most sophisticated operator, identified at IP address 159.100.6.251 (located in Germany), conducted 195 distinct exploitation events over a continuous 3+ hour window, demonstrating sustained operator presence and systematic reconnaissance.
Post-Exploitation Techniques and Lateral Movement
Following successful code execution, multiple threat operators deployed systematic credential harvesting techniques. Attackers executed environment-variable scraping commands to extract sensitive materials including cloud API keys, database connection strings, and authentication tokens. This automated harvesting approach capitalized on the common practice of developers storing credentials within marimo container environments.
In observed sequences, attackers executed sophisticated reverse shell enumeration campaigns, attempting multiple shell implementations across disparate ports and protocols. Upon reverse shell establishment failure due to firewall restrictions, operators pivoted to using harvested DATABASE_URL environment variables to authenticate directly to exposed PostgreSQL instances, where they performed schema enumeration, table discovery, and configuration inspection.
A second operator successfully pivoted into Redis deployments using credentials recovered from marimo’s .env configuration file. This actor systematically iterated through all 16 logical Redis databases to enumerate and extract application keys, including active administrator sessions and asynchronous task metadata.
Additional operators employed DNS-based out-of-band (OOB) callbacks for RCE confirmation, leveraging external DNS logging infrastructure to validate code execution in environments where outbound TCP traffic was subject to firewall filtering but DNS protocol remained open. This technique represents a common evasion pattern when traditional reverse shell channels are blocked.
NKAbuse Backdoor Deployment via Hugging Face
The most significant observed activity involved an operator executing a curl | bash command pointing to a Hugging Face Space named vsccode-modetx, a deliberate typosquatting attack mimicking the legitimate “VS Code” branding. This Space hosts an installation shell script (install-linux.sh) that downloads and executes a Go-based ELF binary designated kagent, falsely presenting itself as a legitimate Kubernetes AI agent tool to blend seamlessly into developer environments.
The dropper script implements cross-platform installation logic for both Linux and macOS architectures, forcefully terminates any pre-existing kagent instances, and establishes persistence through multiple mechanisms: systemd user-level services, crontab entries for Linux systems, and macOS LaunchAgent plists. All logging activity is directed to hidden directories to minimize detection.
The payload binary itself is a UPX-packed, statically-linked Go executable whose string signatures and behavioral characteristics match NKAbuse, a cross-platform malware family that exploits the NKN blockchain protocol to establish resilient, anonymized command-and-control communications. The use of blockchain-based C2 infrastructure significantly complicates traditional network monitoring and blocking strategies, as traffic blends with legitimate peer-to-peer blockchain network activity.
Attack Campaign Significance and Strategic Implications
Prior NKAbuse campaign activity primarily targeted Linux systems through exploitation of long-patched vulnerabilities (CVE-2017-5638). The current campaign represents a significant tactical evolution, combining a contemporary pre-authentication RCE vulnerability in marimo with a Hugging Face-hosted payload specifically tailored for AI/ML developer workstations.
Developer notebook environments present exceptionally high-value compromise targets due to their typical storage of cloud platform credentials, SSH keypairs granting access to internal systems, and direct connectivity to data processing pipelines. A persistent backdoor established within such environments facilitates subsequent lateral movement and broader cloud-native infrastructure compromise.
The strategic choice to host implants on hf.space (Hugging Face Spaces) exploits the platform’s substantial institutional reputation within the AI/ML community, allowing threat actors to distribute malware while leveraging the trusted brand status of a widely-recognized AI platform. This pattern mirrors earlier observed Android RAT campaigns that similarly leveraged Hugging Face repositories for malware staging.
Defensive Measures and Mitigation Strategies
Organizations must immediately identify and remediate all marimo instances vulnerable to CVE-2026-39987, prioritizing instances exposed to internet-accessible networks or reachable from untrusted network segments. For environments unable to be upgraded within acceptable timeframes, security teams should implement multi-layered defensive controls including: strong authentication mechanisms, network-level segmentation isolating marimo from sensitive backend infrastructure, and where feasible, web application firewall rules designed to block known exploit patterns and payloads.
Threat hunting operations should focus on identifying compromise indicators including: suspicious curl | bash command execution referencing the vsccode-modetx Space, presence of ~/.kagent directories within user home folders, anomalous systemd user-level service definitions, and outbound network traffic consistent with NKN blockchain protocol activity originating from developer workstations.
Broadly, organizations should implement enhanced controls around AI/ML infrastructure and establish that domains including Hugging Face, GitHub, and PyPI should not be considered inherently trustworthy. Implementation of content inspection mechanisms, cryptographic allow-listing, and verification of downloaded artifacts from these platforms is essential to prevent supply chain compromise.
Indicators of Compromise
| Indicator | Type | Context |
| https://vsccode-modetx.hf.space/ | Payload host | Hugging Face Space; typosquats legitimate “VS Code” branding |
| https://vsccode-modetx.hf.space/install-linux.sh | Dropper URL | Shell script with three-method download fallback logic |
| https://vsccode-modetx.hf.space/kagent | Binary URL | UPX-packed NKAbuse variant; statically-linked Go ELF binary |
| bskke4.dnslog.cn | DNS oracle | Out-of-band RCE confirmation server; utilized by threat actor 203.10.98.186 |