A critical vulnerability identified as CVE-2026-39987 in the marimo Python notebook platform is being actively exploited by cybercriminals. This flaw allows unauthorized remote code execution, serving as a gateway for attackers to install a blockchain-powered backdoor on systems used by developers. This vulnerability is being used to disseminate a new variant of the NKAbuse malware through a fraudulent Hugging Face Space.
Rapid Exploitation and Impact
The vulnerability was publicly disclosed in advisory GHSA-2679-6mx9-h9xc on GitHub on April 8, 2026. Within less than 10 hours, initial exploitation attempts were recorded. Between April 11 and April 14, 2026, attackers originating from 11 distinct IP addresses across 10 countries executed 662 exploit attempts targeting accessible marimo instances. This quickly evolved into a comprehensive campaign against AI developer environments.
Research conducted by Sysdig’s Threat Research Team (TRT) documented the incidents, noting four key post-exploitation activities: credential harvesting, reverse shell attempts, DNS-based data exfiltration, and the deployment of an undocumented NKAbuse variant. The rapid weaponization of this vulnerability highlighted multiple threat actors independently leveraging the same flaw shortly after its disclosure.
Details of the Attacks
Among the most concerning developments was the deployment of a Go-based backdoor named kagent via a typosquatted Hugging Face Space called vsccode-modetx. This tool masqueraded as a legitimate VS Code extension. Attackers used a simple curl command to exploit marimo endpoints, executing a shell dropper that downloaded the kagent binary to victim systems. At the time of the attack, the Hugging Face domain was flagged as safe by 16 reputation sources, allowing the payload to bypass many security measures undetected.
The attack’s repercussions extended beyond individual notebooks, as attackers gained access to connected databases and services such as PostgreSQL and Redis. They exploited environment variables to extract AWS access keys, database connection strings, and OpenAI API tokens, illustrating how a single compromised marimo instance could endanger wider cloud infrastructure.
NKAbuse Variant Features and Mitigation
The kagent backdoor is a compressed Go ELF file that expands from 4.3 MB to 15.5 MB, communicating with a command-and-control server via the NKN blockchain network. This decentralized approach, using relay nodes, means there is no single IP or domain to block, and C2 traffic blends seamlessly with typical blockchain activity, complicating detection.
The persistence of the backdoor is maintained through three methods: a systemd user service, a crontab entry, and a macOS LaunchAgent. All outputs are hidden in a specific log file, making conventional monitoring ineffective. To fully eradicate this threat, defenders must inspect all three potential persistence locations.
Sysdig TRT advises immediate updates to marimo to version 0.23.0 or later, as this vulnerability requires no authentication and is actively being targeted. Additionally, they recommend searching for specific directories and system entries related to kagent, blocking known malicious URLs, rotating credentials, monitoring network traffic for suspicious patterns, and restricting access to verified Hugging Face publishers.
