Published: 2026-04-18
Categories: AI Toolchain Security, Vulnerability Intelligence, Supply Chain Security
Key Takeaways
- CVE-2026-39987 is a pre-authentication remote code execution vulnerability in the Marimo Python notebook platform (CVSS 9.3), allowing unauthenticated attackers to obtain a full interactive shell by connecting to an unprotected WebSocket terminal endpoint.
- Active exploitation was observed within 9 hours and 41 minutes of public disclosure on April 8, 2026 — with no public exploit code required — demonstrating that threat actors are actively monitoring vulnerability disclosures targeting AI development tools [1].
- Attackers weaponized Hugging Face Spaces as malware-hosting infrastructure, using a typosquatted Space name (“vsccode-modetx”) and a binary name (“kagent”) designed to mimic legitimate AI tooling, underscoring the growing risk of AI platform abuse in the delivery chain [2].
- The payload is a new variant of NKAbuse, a Go-based backdoor that uses the NKN blockchain protocol for command-and-control communications — an architecture that renders traditional domain-based blocking ineffective [3].
- All Marimo deployments running versions prior to 0.23.0 should be upgraded immediately; where immediate upgrade is infeasible, external access to the
/terminal/wsendpoint must be blocked.
Background
Marimo: AI-Native Notebooks in the Development Mainstream
Marimo is an open-source, reactive Python notebook designed for modern data science and AI development workflows, and is gaining use among AI engineers and researchers as an alternative to traditional notebook environments. Unlike conventional notebooks stored as JSON, Marimo notebooks are pure Python files that execute as directed acyclic dataflow graphs — meaning cells update reactively when their dependencies change. The platform offers native SQL support, built-in large language model integration, and the ability to deploy notebooks directly as interactive web applications, features that have driven growing adoption in AI development teams [4].
This dual nature — notebook and deployed web app — is central to understanding the severity of CVE-2026-39987. When organizations deploy Marimo notebooks as accessible services, they expose a server that was designed for local development but may face broader network access in practice. The platform includes a built-in terminal accessible via a browser, intended for convenience during interactive development sessions. That terminal became the attack surface.
CVE-2026-39987: Technical Anatomy
Disclosed on April 8, 2026, CVE-2026-39987 is rated CVSS 9.3 (Critical) and affects all Marimo releases prior to version 0.23.0 [5]. The vulnerability resides in the WebSocket endpoint /terminal/ws, which provides browser-based shell access to the host running the Marimo server. Every other privileged WebSocket endpoint in Marimo correctly invokes validate_auth() to verify the client’s session before granting access. The terminal endpoint does not. Instead, it checks only whether the server is running in a mode that supports a terminal (i.e., not a sandboxed or read-only context) and whether the host platform is compatible, after which it immediately establishes a full pseudo-terminal (PTY) session [6].
The practical consequence is that any unauthenticated network client capable of reaching the Marimo server on its listening port can send a WebSocket upgrade request to /terminal/ws and receive a fully interactive shell as the operating system user running the Marimo process. No credentials, no tokens, and no prior access are required. In typical AI and data science deployments, Marimo runs as the account of the data scientist or engineer — commonly with access to API keys, model weights, training data, and database credentials stored in environment variables or adjacent configuration files — meaning the blast radius of a successful exploit can extend well beyond the notebook server itself [6].
NKAbuse and the NKN Blockchain
NKAbuse is a multi-platform Go-based malware family first documented by Kaspersky’s Global Emergency Response Team in late 2023 [7]. Its defining characteristic is its command-and-control architecture: rather than contacting a fixed attacker-controlled server, NKAbuse communicates over the NKN (New Kind of Network) protocol, a decentralized blockchain-based networking layer that routes data through a global mesh of incentivized relay nodes. Traditional domain-based and IP-based blocking is ineffective against NKAbuse’s C2 architecture: because the NKN protocol routes communications through relay nodes using permanent address identifiers rather than fixed IP addresses or domain names, there is no attacker-controlled server to blacklist [8].
The 2026 Marimo campaign introduced a new NKAbuse variant with expanded remote access trojan capabilities, including interactive shell command execution, credential extraction, and DNS-based data exfiltration. The variant also incorporates WebRTC, ICE, and STUN protocols for NAT traversal, enabling it to establish persistent C2 channels even from hosts behind corporate network address translation [2].
Security Analysis
Exploitation Timeline and Campaign Scale
The Sysdig Threat Research Team, which operates honeypot infrastructure designed to detect in-the-wild exploitation of newly disclosed vulnerabilities, recorded the first confirmed exploitation attempt against CVE-2026-39987 at 9 hours and 41 minutes after the April 8 disclosure [1]. Notably, this occurred despite the absence of any publicly released proof-of-concept exploit code, indicating that the threat actors involved developed weaponized tooling independently — a capability that substantially compresses the window between vulnerability disclosure and active exploitation.
Between April 11 and April 14, 2026, Sysdig recorded 662 distinct exploit events originating from 11 unique source IP addresses across 10 countries [1]. The campaign was not a single targeted intrusion; it exhibited the distributed, opportunistic characteristics of automated scanning combined with manual follow-on operations. In cases where initial exploitation succeeded, credential theft was completed in under three minutes, reflecting prepared post-exploitation tooling rather than improvised tradecraft [2].
The Hugging Face Delivery Chain
Once an attacker established a shell via the CVE-2026-39987 WebSocket vulnerability, the observed attack chain proceeded through a curl-based downloader that retrieved a shell script from a Hugging Face Space named “vsccode-modetx” — an apparent near-homoglyph of “vscode-modetx,” suggesting deliberate construction to evade casual inspection of process command lines or web proxy logs [2]. Hugging Face Spaces is a platform for hosting and sharing AI applications and model demonstrations; it is widely trusted by AI development teams and is typically not subject to the same scrutiny as general-purpose file hosting services in security tooling and allowlists.
The shell script dropper downloaded a binary named “kagent” — the same name as a widely used open-source Kubernetes AI agent framework — and executed it on the compromised host. This naming choice appears designed to exploit the ambient familiarity of legitimate AI tooling names in environments where Kubernetes AI agents are routinely deployed, reducing the likelihood that security operations personnel would flag the process as anomalous [2].
Forensic analysis of the kagent binary revealed it to be a stripped Go ELF binary packed with UPX, expanding from 4.3 megabytes on disk to 15.5 megabytes at runtime [3]. Static and dynamic analysis confirmed references to the NKN client protocol library, WebRTC and ICE/STUN network primitives for NAT traversal, proxy management modules, and structured remote command handling consistent with the NKAbuse malware family. Researchers classified this binary as a previously undocumented NKAbuse variant [3].
Post-Exploitation Behavior
Incident data collected across the April campaign documented four distinct post-exploitation behavior patterns. Credential harvesting was the most common initial follow-on, targeting environment variables, configuration files, and secrets management stores accessible from within the Marimo process context. Reverse shell establishment provided attackers with a persistent interactive channel independent of the original WebSocket session. DNS-based data exfiltration was observed in a subset of cases, suggesting attackers were operating in environments where direct egress to C2 infrastructure was filtered but DNS traffic was not [1]. Finally, in the cases involving NKAbuse deployment, lateral movement to adjacent PostgreSQL and Redis instances was conducted using credentials harvested from the Marimo environment [2].
The combination of these behaviors reflects a coherent post-exploitation sequence well-suited to AI development environments: the credential-rich context of notebook servers makes harvesting immediately productive, while persistence via NKAbuse and lateral movement to adjacent databases compounds the impact. The observed sequence — exploiting the notebook server, harvesting credentials from the data science context, pivoting to data stores, and establishing persistent C2 — follows a logical progression that maximizes value extraction from an environment with privileged access to AI assets.
Why Blockchain C2 Complicates Defense
Traditional endpoint detection and network security controls that rely on indicator-based blocking are substantially less effective against NKAbuse. According to NKN’s documentation, the protocol routes communications through a global mesh of relay nodes [8], none of which individually represents the attacker’s infrastructure. There is no command-and-control domain to revoke, no IP address to null-route, and no certificate to distrust. The network’s Proof of Relay consensus mechanism incentivizes nodes to maintain availability, creating architectural resilience against disruption.
Defenders are therefore required to shift their detection posture from network-level blocking toward behavioral and host-based telemetry. The presence of a process with NKN client library dependencies, unexpected outbound UDP traffic patterns characteristic of WebRTC, or the specific file system artifacts associated with this campaign (described in the Recommendations section) are more actionable indicators than any network indicator of compromise.
The Broader Threat to AI Development Infrastructure
This incident is consistent with a pattern observable across AI development tooling: the security assumptions embedded in locally-oriented developer tools are frequently violated when those tools are deployed as shared services or exposed to broader network access in collaborative environments. Marimo’s built-in terminal was designed to improve the local development experience; it was not designed to be an authenticated, hardened service endpoint. When the deployment model changes — as it does in team environments, cloud development platforms, and CI/CD pipelines — the attack surface expands in ways that the original design did not anticipate.
The abuse of Hugging Face Spaces as a malware delivery platform introduces a further dimension: the same collaborative AI infrastructure that enables legitimate model sharing and application deployment can be co-opted to host and distribute attack tooling. Hugging Face’s own security policies prohibit malicious content, but the platform’s scale and the trust it receives from AI development teams mean that detection and takedown cannot be assumed to be instantaneous. Security controls that blindly trust Hugging Face domains, or that exempt AI platform traffic from web proxy inspection, are exposed.
Recommendations
Immediate Actions
Organizations should treat CVE-2026-39987 as a critical-priority patch given the confirmed active exploitation and the speed of the in-the-wild timeline. Upgrading Marimo to version 0.23.0 or later resolves the vulnerability by adding authentication validation to the /terminal/ws endpoint on par with other privileged WebSocket routes [5]. For deployments where immediate upgrade is operationally infeasible, the /terminal/ws path should be blocked at the network perimeter — via a reverse proxy access control list, API gateway policy, or host-based firewall rule — as an interim measure pending scheduled maintenance.
All Marimo instances that were publicly accessible prior to patching should be considered potentially compromised and subjected to forensic review. The following artifacts are specific indicators associated with the April 2026 NKAbuse campaign and should be hunted across affected systems: the directory ~/.kagent/, systemd user service files named kagent.service, and any running process named kagent [2]. The Hugging Face Space origin domain vsccode-modetx.hf.space should be blocked at the proxy or DNS layer; credentials stored in environment variables or configuration files accessible to the Marimo process should be rotated.
Short-Term Mitigations
The placement of AI development tooling within the network architecture deserves review as a result of this incident. Marimo servers and analogous notebook platforms (JupyterHub, Streamlit, Gradio) should not be directly accessible from the public internet or from untrusted internal network segments without authentication enforced at the network boundary rather than relying solely on application-level controls. Network segmentation that isolates AI development environments from production databases, secrets management systems, and cloud provider credential stores reduces the lateral movement potential of exploitation events in this class.
Where Marimo is deployed as a service for multiple users, authentication should be enforced through an identity-aware proxy that validates sessions before traffic reaches the application. This provides defense-in-depth against authentication bypass vulnerabilities at the application layer by adding an independent authentication checkpoint.
Detection engineering teams should develop host-based rules for NKAbuse behavioral indicators: unexpected UPX-packed Go binaries installed in user home directories, processes with command names matching legitimate AI tooling that were not installed through managed package channels, and outbound UDP flows consistent with NKN peer-to-peer relay or WebRTC ICE negotiation originating from notebook server hosts.
Strategic Considerations
The AI development toolchain has become a meaningful attack surface — one that combines privileged access to sensitive data, trusted infrastructure for artifact distribution, and tools that have often received less security scrutiny than equivalent production systems. Organizations building formal AI security programs should extend their vulnerability management scope explicitly to include AI development platforms, ML framework dependencies, and the infrastructure used to host and share models and notebooks. Dependency scanning applied only to production application code will miss this class of exposure.
The use of Hugging Face and similar AI platform services as trusted delivery channels for malicious payloads warrants a specific review of web proxy and network security policy exceptions granted to AI platforms. These platforms should be subject to the same outbound traffic inspection and content validation as other third-party software distribution services. The trust extended to a platform’s brand should not translate directly into reduced security scrutiny of content delivered from that platform.
CSA Resource Alignment
This incident maps directly to several areas addressed by CSA’s AI security frameworks and guidance. The MAESTRO framework for agentic AI threat modeling identifies the AI development toolchain — including notebook environments, model registries, and artifact hosting platforms — as a critical attack surface requiring explicit threat modeling. The abuse of Marimo’s terminal endpoint to gain host access, followed by lateral movement to databases and the installation of a persistent agent, follows MAESTRO’s “compromised development environment leading to agent hijacking” threat path [9].
CSA’s AI Controls Matrix (AICM), which serves as a superset of the Cloud Controls Matrix encompassing AI-specific risk domains, provides relevant controls in the areas of AI infrastructure access management, supply chain integrity for AI artifacts, and monitoring of AI platform workloads. The control domains covering identity and access management for AI tools (requiring authentication at all administrative interfaces), artifact provenance verification (requiring that AI platform downloads be validated against trusted sources before execution), and anomaly detection for AI workload behavior are all directly applicable to the mitigations recommended in this note [10].
The CSA Agentic AI Red Teaming Guide provides methodologies for testing the authentication boundaries of notebook and agent platforms — an approach directly applicable to evaluating Marimo deployments and similar AI development services [11]. CSA’s Zero Trust guidance reinforces the structural recommendation here: the implicit trust extended to internal network traffic reaching AI development services should be replaced with explicit, per-request authentication validation independent of network location.
More broadly, this incident exemplifies the risk category that CSA’s AI Organizational Responsibilities publications identify as “shadow AI infrastructure” — AI tooling deployed outside formal security review processes, operated without the security controls applied to equivalent production systems, and exposed to broader access than the tool’s security model was designed to accommodate. Maturing AI security programs must extend their governance perimeter to encompass the full AI development lifecycle, not just deployed model endpoints [12].
References
[1] Sysdig Threat Research Team. “CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace.” Sysdig, April 2026.
[2] BleepingComputer. “Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face.” BleepingComputer, April 2026.
[3] CyberSecurityNews. “Attackers Weaponize CVE-2026-39987 to Spread Blockchain-Based Backdoor Via Hugging Face.” CyberSecurityNews, April 2026.
[4] marimo. “marimo — a next-generation Python notebook.” marimo, 2026.
[5] NIST National Vulnerability Database. “CVE-2026-39987 Detail.” NVD, April 2026.
[6] Endor Labs. “Root in One Request: Marimo’s Critical Pre-Auth RCE (CVE-2026-39987).” Endor Labs, April 2026.
[7] Kaspersky Global Emergency Response Team. “Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol.” Securelist, December 2023.
[8] NKN Foundation. “Introduction to NKN.” NKN Docs, 2026.
[9] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA, February 2025.
[10] Cloud Security Alliance. “AI Controls Matrix.” CSA, 2025.
[11] Cloud Security Alliance. “Agentic AI Red Teaming Guide.” CSA, 2025.
[12] Cloud Security Alliance. “AI Organizational Responsibilities: AI Tools and Applications.” CSA, 2025.