Hackers are exploiting a key vulnerability in Marimo’s running Python notebook to release a variant of the NKAbuse malware that is hosted on Hugging Face Spaces.
The attack leading to remote code execution (CVE-2026-39987) began last week with data theft, less than 10 hours after the technical details were publicly disclosed, according to data from cloud security company Sysdig.
Sysdig researchers continued to monitor activity related to the security issue that identified additional attacks, including a campaign that began on April 12 exploiting the Hugging Face Spaces platform to demonstrate AI applications.
Hugging Face serves as an AI development platform and machine learning focused platform, serving as a hub for AI assets such as models, datasets, code, and tools, shared among the community.
Hugging Face Spaces allows users to deploy and share interactive web applications directly from a Git repository, typically for demos, tools, or experiments in AI.
In the attack observed by Sysdig, the attacker created a named Vulnerability vsccode-modetx (intentional VS Code typosquat) which hosts a dropper script (install-linux.sh) and a named malware binary of gentand an attempt to emulate the official Kubernetes AI agent tool.
After exploiting Marimo RCE, the threat actor ran the curl command to download a script from Hugging Face and execute it. Because Hugging Face Spaces is an official HTTPS endpoint with a clean name, it is less likely to trigger warnings.
The dropper script downloads the kagent binary, installs it locally, and stops persistence via systemd, cron, or macOS LaunchAgent.
According to the researchers, payload is a previously illegal variant of the DDoS-focused NKAbuse malware. Kaspersky researchers reported this malware in late 2023 and highlighted its exploitation of the novel NKN (New Type of Network) decentralized peer-to-peer network technology for data exchange.
Sysdig says the new variant acts as a remote access trojan that can run shell commands on an infected system and send the output back to the operator.
“NKN Client Protocol references, WebRTC/ICE/STUN for NAT traversal, proxy management, and structured command management – consistent with the NKAbuse family originally written by Kaspersky in December 2023,” Sysdig said in a report.
Sysdig also observed other notable attacks exploiting CVE-2026-39987, including a German-based operator that attempted 15 reverse shell techniques across multiple ports.
They then turned to walking by extracting database information from environment variables and connecting to PostgreSQL, where they quickly calculated schemas, tables, and configuration data.
Another actor from Hong Kong used the stolen .env credentials to target a Redis server, systematically scanning all 16 databases and dumping stored data, including session tokens and application cache entries.
The overall takeaway is that CVE-2026-39987 exploits in the wild have increased in volume and tactics, and it’s important that users upgrade to version 0.23.0 or later as soon as possible.
If upgrading is not possible, it is recommended to block external access to the ‘/terminal/ws’ endpoint using a firewall, or block it completely.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
