Critical Marimo flaw exploited to deploy NKAbuse malware

A critical Marimo vulnerability is being exploited in the wild to gain remote shell access on exposed notebook servers and deploy malware.

The flaw, tracked as CVE-2026-39987, affects Marimo’s terminal WebSocket endpoint. The endpoint can accept unauthenticated connections and spawn a PTY-backed shell, giving attackers command execution on the host running Marimo.

Marimo fixed the issue in version 0.23.0. Any publicly reachable or internally shared Marimo deployment running an older vulnerable version should be updated immediately and reviewed for compromise.

What is CVE-2026-39987?

CVE-2026-39987 is a pre-authentication remote code execution vulnerability in Marimo, an open-source reactive Python notebook used for data science, AI work, analytics, and internal apps.

The vulnerability sits in the /terminal/ws WebSocket endpoint. This endpoint should only allow authenticated users to open an interactive terminal, but vulnerable versions fail to enforce the same authentication checks used by other Marimo WebSocket endpoints.

As a result, an attacker can connect to the exposed endpoint and obtain a system shell without logging in. Commands then run with the privileges of the Marimo process, which can be especially dangerous in containers or cloud-hosted notebook environments.

Detail	Information
CVE	CVE-2026-39987
Product	Marimo Python notebook
Vulnerability type	Missing authentication on terminal WebSocket endpoint
Affected endpoint	/terminal/ws
Impact	Unauthenticated remote code execution
Patched version	Marimo 0.23.0

Why the flaw is dangerous

Notebook platforms often run close to sensitive data. A Marimo instance may contain API keys, environment files, database credentials, internal dashboards, AI models, and research datasets.

That makes pre-authentication code execution especially serious. An attacker does not need a valid Marimo account if the vulnerable terminal endpoint is reachable.

Sysdig said it observed exploitation less than 10 hours after the public advisory appeared. In one observed attack, credential theft completed in under three minutes after initial access.

How the WebSocket bug works

Marimo includes WebSocket endpoints for interactive app and notebook behavior. Other WebSocket paths enforce authentication through validation logic, but the vulnerable terminal endpoint skipped that check.

The terminal endpoint then created a pseudo-terminal session on the host. That design meant a missing authentication check did not just expose metadata or a limited API call. It exposed an interactive shell.

The official advisory says a single WebSocket connection can provide a full shell. In default Docker-style deployments, commands may run as root if the container itself runs Marimo as root.

• The attacker finds an exposed Marimo server.
• The attacker connects to the terminal WebSocket endpoint.
• The server accepts the connection without proper authentication.
• Marimo creates a PTY-backed shell.
• The attacker runs system commands on the host or container.

Exploitation moved quickly

Sysdig reported that attackers began exploiting CVE-2026-39987 within 9 hours and 41 minutes of the GitHub advisory publication. The company said no public proof-of-concept code was available at the time of the first observed attack.

This suggests attackers used the advisory details to build a working exploit quickly. It also shows that niche developer and data science tools now receive attention from threat actors almost immediately after disclosure.

The first wave focused on credential discovery. Attackers explored the environment, searched for secrets, and attempted to extract files such as .env records that often contain passwords, API tokens, and service credentials.

NKAbuse malware was later deployed

Sysdig later reported that attackers weaponized the Marimo flaw to deploy NKAbuse malware. The payloads were hosted through Hugging Face Spaces, a legitimate AI and machine learning platform.

This does not mean Hugging Face itself was breached. Attackers abused hosted infrastructure to make malicious downloads look less suspicious and to blend activity with normal AI development traffic.

NKAbuse has been associated with botnet-style activity, command execution, and distributed denial-of-service capabilities. Its use in this campaign shows how quickly an exposed notebook server can become part of broader attacker infrastructure.

Risk area	Why it matters
Notebook secrets	Marimo environments may contain API keys, tokens, and database credentials.
Cloud workloads	Compromised notebooks may expose cloud metadata, storage, and service accounts.
Internal dashboards	Attackers may reach internal apps or analytics systems through trusted hosts.
AI datasets and models	Research data, model files, and proprietary workflows may be exposed.
Container privileges	Containers running as root can increase the impact of command execution.

Who needs to patch first?

Any organization running Marimo in edit mode should check its version immediately. Internet-facing deployments need urgent attention because attackers are already scanning and exploiting exposed servers.

Internal deployments also matter. A vulnerable Marimo instance inside a trusted network can become a useful foothold if an attacker already has limited access through phishing, stolen VPN credentials, or another exposed service.

Teams using Marimo for AI development, machine learning prototypes, internal analytics, education, or research should not assume small-scale deployments are safe. The observed exploitation shows attackers can target less common tools rapidly.

Recommended mitigation steps

The main fix is to upgrade Marimo to version 0.23.0 or later. Teams should not rely only on network obscurity or temporary firewall rules if they can patch.

Administrators should also avoid exposing Marimo edit servers directly to the internet. If remote access is needed, place the service behind a VPN, identity-aware proxy, or authenticated reverse proxy.

Because active exploitation has occurred, organizations should review exposed instances for credential theft, persistence, malware downloads, and unusual shell activity.

1. Identify all Marimo deployments, including containers, cloud notebooks, and internal apps.
2. Upgrade Marimo to version 0.23.0 or later.
3. Remove direct public access to Marimo edit servers.
4. Restrict access through VPNs, authenticated reverse proxies, or private networks.
5. Run containers as non-root where possible.
6. Review logs for connections to /terminal/ws.
7. Search for suspicious shell commands, downloaded payloads, and new startup scripts.
8. Rotate secrets stored in notebooks, environment files, and related cloud services.

What defenders should hunt for

Security teams should treat vulnerable exposed Marimo instances as potentially compromised. The exploitation path gives attackers a shell, so post-exploitation activity can vary widely.

Useful signals include unexpected WebSocket traffic, shell processes spawned from the Marimo server process, access to .env files, unusual outbound downloads, and attempts to reach cloud metadata services.

Teams should also review notebook directories and project folders for new scripts, cron jobs, SSH keys, persistence files, and modified Python files.

Hunt area	What to check
WebSocket logs	Connections to /terminal/ws from unknown IP addresses.
Process activity	Shells or command interpreters spawned by Marimo.
Secrets access	Reads of .env, cloud credential files, SSH keys, and API token files.
Network traffic	Outbound downloads from unusual hosting services or unknown URLs.
Persistence	New cron entries, startup scripts, services, or modified shell profiles.

Why AI and data science tools are now bigger targets

AI and data science environments often combine code execution, cloud access, internal data, and developer credentials. That makes them valuable even when the tool itself is not a major enterprise platform.

Attackers increasingly monitor advisory feeds for vulnerabilities in open-source tools used by developers, researchers, and data teams. Once a critical bug includes enough technical detail, exploitation can begin within hours.

CVE-2026-39987 shows why notebook servers should be treated like production systems. They need authentication, patching, network controls, least-privilege containers, and active monitoring.

FAQ