A critical vulnerability in the marimo Python notebook platform, CVE-2026-39987, is being actively exploited by attackers to deploy a novel blockchain-based backdoor. Researchers have observed a rapid escalation of attacks following the public disclosure of the flaw, transforming initial scans into a broad campaign targeting AI developer workstations. The vulnerability allows for remote code execution without authentication, providing a direct pathway for threat actors to introduce malware.
The exploitation campaign began within hours of the vulnerability’s advisory being published on GitHub on April 8, 2026. Between April 11 and April 14, threat actors originating from 11 countries launched hundreds of exploit attempts against exposed marimo instances. This swift weaponization, documented by Sysdig TRT researchers, indicates a coordinated effort by multiple malicious actors to leverage the newfound weakness for installing a previously undocumented variant of the NKAbuse malware. The attacks are notable for their sophisticated delivery mechanism, utilizing a compromised Hugging Face Space to distribute the malicious payload.
Sysdig TRT researchers identified four distinct post-exploitation activities observed in the attacks: credential harvesting, reverse shell attempts, DNS-based data exfiltration, and the deployment of the new NKAbuse variant. The speed at which these activities unfolded underscores the immediate danger posed by CVE-2026-39987, highlighting the attackers’ efficiency in capitalizing on newly discovered vulnerabilities.
The most concerning aspect of this attack chain is the distribution of a Go-based backdoor, dubbed “kagent,” through a cleverly disguised Hugging Face Space. The malicious space, named “vsccode-modetx” and designed to mimic a legitimate VS Code tool, was used to trick users into downloading the malware. By issuing a simple curl command to a marimo endpoint, attackers could execute a shell dropper that downloaded the kagent binary onto the victim’s system. Significantly, the Hugging Face domain displayed no malicious indicators across numerous reputation services at the time, allowing this payload to evade standard security defenses.
NKAbuse Variant Leverages Blockchain for Command and Control
The newly identified kagent backdoor is a Go-based executable that, after unpacking, communicates with its command-and-control (C2) server over the NKN blockchain network. This decentralized approach to C2 communication makes detection and mitigation challenging, as there is no single IP address or domain to block, and the traffic is camouflaged within legitimate blockchain activity. This makes it difficult for conventional security tools to identify and isolate infected systems.
To ensure persistence, the dropper script employs a multi-stage approach. It first establishes a systemd user service, then creates an “@reboot” entry in the crontab, and finally installs a macOS LaunchAgent. All output from the kagent’s operations is silently redirected to a log file within the ~/.kagent/ directory, effectively hiding its presence from routine monitoring. To completely remove the implant, security personnel must identify and disable all three persistence mechanisms.
This 2026 variant of NKAbuse presents a significant evolution from its predecessor, which targeted older vulnerabilities in Apache Struts. The current campaign specifically targets AI developer tools, utilizes a zero-day marimo vulnerability, leverages a trusted platform like Hugging Face for distribution, and masquerades its payload as a Kubernetes agent. This strategic shift demonstrates the adaptability of threat actors to exploit emerging technologies and platforms.
The impact of a single compromised marimo instance can extend far beyond the notebook itself. Researchers noted attackers pivoting to access connected PostgreSQL databases and Redis instances by extracting credentials stored in environment variables. In one instance, attackers successfully exfiltrated AWS access keys, database connection strings, and OpenAI API tokens. This highlights the cascading risk, where a vulnerability in one tool can provide an entry point into an organization’s broader cloud infrastructure.
Sysdig TRT has provided the following recommendations for defenders to mitigate the risks associated with CVE-2026-39987 and the subsequent NKAbuse variant:
Organizations are strongly advised to update marimo to version 0.23.0 or later immediately due to the critical and actively exploited nature of the vulnerability. Hunting for the ~/.kagent/ directory, the kagent.service systemd entry, and any running kagent processes on systems that ran marimo is crucial. Blocking the known payload delivery URL, vsccode-modetx.hf.space, at the proxy or DNS level can prevent further infections. Additionally, rotating all credentials on exposed marimo instances, with a focus on DATABASE_URL, AWS keys, and API tokens stored in environment variables, is a necessary step. Monitoring network traffic for patterns indicative of NKN blockchain relay communication from potentially infected hosts should be implemented. Auditing Hugging Face Spaces and AI/ML dependencies, and restricting access to verified publishers only, can improve supply chain security. Finally, deploying runtime behavioral detection is essential, as signature-based tools are unlikely to catch malware hosted on trusted platforms with zero-day exploits.
The rapid weaponization of CVE-2026-39987 and the novel use of blockchain technology for C2 communication underscore the evolving sophistication of cyber threats. The ongoing campaign targeting AI developers suggests further evolution in attack vectors targeting machine learning workflows and infrastructures. Organizations utilizing marimo and similar development environments should prioritize immediate patching and robust monitoring to safeguard their systems against such advanced persistent threats.