A critical vulnerability in the marimo Python notebook platform is now being actively used by attackers to deploy a blockchain-powered backdoor on developer systems.
The flaw, tracked as CVE-2026-39987, allows remote code execution without authentication, making it a dangerous entry point for threat actors leveraging it to install a new variant of the NKAbuse malware through a fake Hugging Face Space.
The advisory, identified as GHSA-2679-6mx9-h9xc, was published on GitHub on April 8, 2026. Within just 9 hours and 41 minutes, the first active exploitation was recorded.
From April 11 to April 14, 2026, attackers from 11 unique IP addresses across 10 countries launched 662 exploit events against exposed marimo instances.
What began as early scanning quickly escalated into a full-scale, multi-actor campaign targeting AI developer workstations.
Researchers at the Sysdig TRT identified and documented these attacks as they unfolded, noting four distinct post-exploitation patterns: credential harvesting, reverse shell attempts, DNS-based data exfiltration, and deployment of a previously undocumented NKAbuse variant.
The speed of weaponization confirmed that multiple threat actors were independently targeting the same vulnerability within days of its public disclosure.
The most alarming finding was the deployment of a Go-based backdoor named kagent through a typosquatted Hugging Face Space called vsccode-modetx, built to mimic a legitimate VS Code tool.
Using a simple curl command against a marimo endpoint, the attacker pulled and executed a shell dropper that downloaded the kagent binary to the victim system.
The Hugging Face domain carried zero malicious flags across 16 reputation sources at the time, allowing the payload to bypass standard security filters without raising any alarms.
The attack impact extended beyond a single compromised notebook. Attackers quickly pivoted from exploiting marimo to accessing connected PostgreSQL databases and Redis instances using credentials pulled from environment variables.
One operator extracted AWS access keys, database connection strings, and OpenAI API tokens, demonstrating that one exposed marimo instance could open a foothold into broader cloud infrastructure.
NKAbuse Variant and Persistence Tactics
The kagent binary is a stripped, UPX-packed Go ELF file that unpacks from 4.3 MB to 15.5 MB and communicates with a command-and-control server over the NKN blockchain network.
the NKN protocol uses decentralized relay nodes, there is no single IP address or domain to block, and C2 traffic blends with normal blockchain activity, making detection difficult with conventional tools.
The dropper script establishes persistence using three sequential methods: first creating a systemd user service at ~/.config/systemd/user/kagent.service, then adding a crontab @reboot entry, and finally installing a macOS LaunchAgent at ~/Library/LaunchAgents/com.kagent.plist.
All output is silently redirected to ~/.kagent/install.log, hiding activity from standard process monitoring. Defenders must check all three locations to fully remove the implant.
Compared to the original NKAbuse from December 2023, this 2026 variant targets AI developer tooling using a brand-new vulnerability, uses Hugging Face for delivery, and disguises the binary as a legitimate Kubernetes agent named kagent, where the original exploited a six-year-old Apache Struts flaw against Linux desktops and IoT devices.
The Sysdig TRT shared the following steps for defenders:
- Update marimo to version 0.23.0 or later immediately, as the vulnerability requires no authentication and is actively targeted.
- Hunt for the ~/.kagent/ directory, the kagent.service systemd entry, and any running kagent process on systems that ran marimo.
- Block vsccode-modetx.hf.space at the proxy or DNS level to stop the known payload delivery URL.
- Rotate all credentials on exposed marimo instances, focusing on DATABASE_URL, AWS keys, and API tokens stored in environment variables.
- Monitor network traffic for NKN blockchain relay patterns that indicate active C2 communication from an infected host.
- Audit Hugging Face Spaces and AI/ML dependencies, and restrict access to verified publishers only.
- Deploy runtime behavioral detection, as signature-based tools cannot catch zero-detection malware hosted on trusted platforms.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
