Attackers are already exploiting CVE-2026-39987 to drop a blockchain backdoor through a fake Hugging Face Space
6 min. read 
Published on
Attackers have started exploiting CVE-2026-39987, a critical marimo vulnerability, to run code on exposed developer systems without authentication. Sysdig said it observed real attacks just 9 hours and 41 minutes after the GitHub advisory went public on April 8, 2026, which shows how quickly threat actors moved from disclosure to active abuse.
The flaw affects marimo’s /terminal/ws endpoint and allows an unauthenticated attacker to get an interactive shell, even when marimo authentication is enabled. GitHub’s advisory rates the issue as critical and says affected versions include marimo <= 0.20.4, while marimo fixed it in version 0.23.0.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
What makes this campaign stand out is the payload. Sysdig said one attacker used the marimo bug to fetch a previously undocumented NKAbuse variant, a Go-based backdoor that uses the NKN blockchain for command-and-control traffic, from a typosquatted Hugging Face Space built to look like a VS Code-related tool.
Exploitation moved fast after disclosure
Sysdig said the advisory for GHSA-2679-6mx9-h9xc went live at 21:50 UTC on April 8, and the first exploitation appeared at 07:31 UTC on April 9. That gave defenders very little reaction time before attackers started probing exposed systems.
From April 11 through April 14, Sysdig recorded 662 exploit events tied to multiple post-exploitation patterns, including credential harvesting, reverse shell attempts, DNS-based exfiltration, lateral movement to PostgreSQL and Redis, and malware delivery through Hugging Face Spaces.
There is one detail worth handling carefully. In the body of its write-up, Sysdig said it saw 11 unique source IPs across 10 countries, but the timeline section of the same post says 12 unique source IPs exploited the flaw over four days. The safer takeaway is that multiple threat actors in several countries targeted the bug within days of disclosure.
How the attack chain works
According to Sysdig, the attacker can use a simple curl request against the marimo endpoint to trigger code execution and run a shell dropper. In the observed malware case, that dropper downloaded a binary named kagent from the typosquatted Hugging Face Space vsccode-modetx.hf.space.
Sysdig said the kagent sample was a stripped, UPX-packed Go ELF file that expanded from 4.3 MB to 15.5 MB after unpacking. Researchers identified it as a new NKAbuse variant that communicates over the NKN blockchain network instead of relying on a traditional server that defenders could block more easily.
That matters because blockchain-backed command-and-control changes the defender’s problem. Sysdig said NKN uses decentralized relay nodes, which means there is no single IP address or domain that defenders can simply block to cut off the malware.
The bigger risk goes beyond the initial exploit
The marimo bug does not just let attackers run a test command and leave. GitHub’s advisory says an attacker can obtain a full interactive root shell through a single WebSocket connection, with no authentication and no user interaction required.
Sysdig said some operators moved past initial access and started pulling secrets from environment variables and local files. The observed commands targeted API keys, database credentials, SSH material, .env files, and docker-compose.yml, with examples including AWS keys, OpenAI API keys, and DATABASE_URL values.
In later stages, Sysdig saw attackers use stolen credentials to pivot into connected PostgreSQL and Redis services. That turns an exposed notebook into a possible path into cloud infrastructure, development systems, and data stores that were never meant to be publicly reachable through the notebook itself.
Persistence makes cleanup harder
Sysdig said the dropper tried three persistence methods in sequence. It created a systemd user service at ~/.config/systemd/user/kagent.service, then added a crontab @reboot entry, and finally installed a macOS LaunchAgent at ~/Library/LaunchAgents/com.kagent.plist.
The malware also redirected output to ~/.kagent/install.log, which reduced visible noise during installation and helped hide what the script was doing. Sysdig said defenders need to check all of those locations during cleanup, not just kill the running process.
Compared with earlier NKAbuse activity, Sysdig said this variant used a fresh vulnerability, trusted AI infrastructure for delivery, and a new disguise as a Kubernetes-style agent called kagent. That is a meaningful shift from older NKAbuse reporting tied to different exploit chains and targets.
Key facts
| Item | Details |
|---|---|
| Vulnerability | CVE-2026-39987 |
| Product | marimo Python notebook platform |
| Root issue | Unauthenticated access to /terminal/ws |
| Impact | Remote code execution and interactive shell |
| Affected versions | <= 0.20.4 |
| Patched version | 0.23.0 |
| Exploitation start | 9 hours 41 minutes after advisory publication |
| Observed activity | 662 exploit events from April 11 to April 14 |
| Malware | New NKAbuse variant |
| Delivery path | Typosquatted Hugging Face Space |
| C2 method | NKN blockchain network |
Sources for the table: GitHub advisory, marimo release notes, and Sysdig research.
What defenders should do now
- Upgrade marimo to version 0.23.0 or later immediately. Marimo’s own release notes say this version contains the security fix for CVE-2026-39987.
- Check for
~/.kagent/, runningkagentprocesses,kagent.service, suspicious crontab@rebootentries, andcom.kagent.pliston systems that exposed marimo notebooks. Sysdig specifically called out those artifacts. - Rotate credentials stored in environment variables or local config files on exposed instances, especially database strings, AWS credentials, and API tokens. Sysdig documented active harvesting of those values.
- Block the known Hugging Face delivery host where possible and review access to Hugging Face Spaces used in developer workflows. Sysdig identified
vsccode-modetx.hf.spaceas the observed delivery location. - Monitor for NKN-related traffic patterns and unusual outbound connections from developer hosts. The malware’s blockchain-based command channel makes ordinary blocklists less useful.
- Avoid exposing editable marimo notebooks directly to the internet. Marimo’s own release notes say run mode, non-public deployments, and external auth proxies sharply reduce exposure.
FAQ
Yes. Sysdig said it observed exploitation 9 hours and 41 minutes after the advisory was published, then recorded hundreds of exploit events over the next few days.
GitHub’s advisory says /terminal/ws skipped authentication validation, which let an unauthenticated attacker obtain a full interactive shell remotely.
Sysdig said the attacker hosted the payload on a typosquatted Hugging Face Space. That gave the campaign a delivery point on a trusted developer platform, which can make filtering and reputation-based blocking less effective.
Sysdig said the NKAbuse variant establishes persistence, hides installation output, and communicates over the NKN blockchain network for command-and-control. It can also support follow-on access and broader compromise after attackers steal credentials.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages