CVE-2026-39987, a pre-authentication RCE in Marimo’s /terminal/ws WebSocket endpoint, moved from (see also terminal/ws WebSocket endpoint) advisory to active exploitation in 9 hours and 41 minutes on April 8–9, 2026. Sysdig observed the first in-the-wild attack at 07
.env extraction and API key harvesting — completing in under three minutes. By April 11–14, the same access vector had generated 662 exploit events across 12 source IPs in 10 countries, culminating in a new NKAbuse backdoor variant fetched from a Hugging Face typosquat. The incident signals that AI and data-science tooling now faces same-day exploitation windows and that trusted model-hosting infrastructure is being systematically repurposed for payload staging.
The Vulnerability: Pre-Auth RCE in Marimo’s /terminal/ws Endpoint
The flaw resides in the terminal WebSocket handler, which failed to enforce authentication before accepting commands. Versions 0.20.4 and below are affected; the Marimo team patched it in release 0.23.0. Because Marimo notebooks are frequently run on local ports that are then exposed to the internet for collaboration or remote development, a pre-auth RCE on the terminal path gives an attacker the same privileges as the notebook process — which often include cloud credentials, database connections, and write access to the working directory.
The Timeline: From Disclosure to Exploitation in 9 Hours 41 Minutes
The advisory was published at 21
UTC on April 8, 2026. At 07 UTC on April 9 — exactly 9 hours and 41 minutes later — Sysdig’s threat detection pipeline logged the first exploitation attempt. The attacker did not probe for days or wait for a public proof-of-concept. According to Sysdig, the exploitation session progressed directly to credential harvesting, extracting environment files and API keys in under three minutes. This speed suggests the adversary developed or adapted an exploit from the advisory text alone, without needing an intermediate public exploit release.The Campaign: 662 Events, Lateral Movement, and Credential Harvesting
The initial April 9 event was not an isolated incident. During a subsequent monitoring window of April 11–14, Sysdig recorded 662 exploit events originating from 12 unique source IPs across 10 countries. The attackers moved beyond initial access to lateral movement through PostgreSQL and Redis services reachable from the compromised hosts. Sysdig is the sole public source for these exploitation figures as of April 23, 2026; no independent outlet has corroborated the counts.
The Payload: NKAbuse, NKN Blockchain C2, and the ‘kagent’ Disguise
After establishing access, the attackers deployed a new variant of the NKAbuse backdoor. The binary was disguised as kagent, a name that mimics a legitimate Kubernetes agent, and was UPX-packed to evade static detection. The payload was written in Go.
For command-and-control, the variant used the NKN (New Kind of Network) blockchain protocol. NKN enables NAT traversal via WebRTC, ICE, and STUN, which allows the botnet to reach infected hosts even when they sit behind firewalls or residential routers without port forwarding. The C2 traffic was structured around heartbeat and shell-output messaging, giving the operators persistent, interactive access that does not rely on a single, takedown-vulnerable domain or IP.
The Staging Vector: Why Hugging Face’s Clean Reputation Is the Point
The kagent binary was fetched from a Hugging Face Space named vsccode-modetx, a VS Code typosquat that scored 0/16 on reputation checks. The Space functioned as static file hosting; no machine-learning model was compromised or involved in serving the payload. The significance is infrastructural, not technical: Hugging Face carries a clean reputation with security teams, and its domains are rarely blocked by corporate proxies. By staging the binary there, the attackers borrowed that trust. This is not a model-distribution failure; it is the repurposing of a trusted platform for malware delivery.
What This Means for AI/ML Infrastructure Patching
The 9h41m window from advisory to exploitation compresses the viable patch cycle from days to hours. For teams running notebook environments — whether Marimo, Jupyter, or similar — on internet-facing endpoints, the traditional weekly dependency update cadence is no longer sufficient. The advisory itself served as enough information to weaponize the bug, meaning defenders must treat the publication time as the start of active exploitation rather than the start of a planning window.
The broader pattern is equally relevant: Hugging Face joins GitHub, Docker Hub, and other trusted platforms as load-bearing infrastructure for malware staging. Security teams that whitelist or lightly monitor these domains on the assumption that they only host models or open-source code will need to revisit that posture. The NKAbuse operators did not need to compromise Hugging Face’s model serving stack; they only needed its domain reputation and its free Space hosting to distribute a backdoor that communicates over a blockchain network designed to resist takedown.
Frequently Asked Questions
Which versions of Marimo are affected by CVE-2026-39987?
Versions 0.20.4 and below are affected. The Marimo team patched the vulnerability in release 0.23.0.
How did attackers use Hugging Face in this campaign?
They staged a UPX-packed NKAbuse backdoor binary on a typosquatted Hugging Face Space named ‘vsccode-modetx’, exploiting the platform’s clean reputation to evade corporate proxy blocks. No machine-learning model was compromised.
Why is the 9h41m disclosure-to-exploitation window significant for AI tooling?
It demonstrates that adversaries can weaponize vulnerabilities in AI and data-science tooling from advisory text alone, compressing the viable patch cycle from days to hours.
What makes the NKAbuse C2 infrastructure resilient to takedown?
The variant uses the NKN blockchain protocol with WebRTC, ICE, and STUN for NAT traversal, enabling persistent access without relying on a single domain or IP address that can be blocked or seized.