Full Report
Hackers are exploiting a critical vulnerability in Marimo reactive Python notebook to deploy a new variant of NKAbuse malware hosted on Hugging Face Spaces. [...]
Analysis Summary
# Vulnerability: Marimo Remote Code Execution exploited to deploy NKAbuse Malware
## CVE Details
- **CVE ID:** CVE-2026-39987
- **CVSS Score:** 9.8 (Critical) - *Based on pre-auth RCE characteristics*
- **CWE:** CWE-94 (Improper Control of Generation of Code - Code Injection) / CWE-77 (Command Injection)
## Affected Systems
- **Products:** Marimo reactive Python notebook
- **Versions:** All versions prior to 0.23.0
- **Configurations:** Systems where the Marimo notebook server is exposed to the internet or untrusted networks without sufficient authentication.
## Vulnerability Description
CVE-2026-39987 is a critical pre-authentication remote code execution (RCE) flaw residing in the `/terminal/ws` endpoint of the Marimo Python notebook. The vulnerability allows an unauthenticated attacker to send specially crafted requests to the WebSocket endpoint, leading to arbitrary command execution on the host system with the privileges of the Marimo process.
## Exploitation
- **Status:** Exploited in the wild. Multiple campaigns observed, including credential theft (PostgreSQL/Redis) and NKAbuse malware deployment.
- **Complexity:** Low
- **Attack Vector:** Network
- **PoC Availability:** Publicly disclosed; technical details available.
## Impact
- **Confidentiality:** High (Full access to environment variables, `.env` files, and databases like PostgreSQL/Redis).
- **Integrity:** High (Ability to modify system files and install persistent malware).
- **Availability:** High (Ability to crash the system or use resources for DDoS via NKAbuse botnet).
## Remediation
### Patches
- **Upgrade to Marimo version 0.23.0 or later** immediately to resolve the vulnerable WebSocket handling.
### Workarounds
- **Network Filtering:** Block external access to the `/terminal/ws` endpoint using a firewall or reverse proxy.
- **Access Control:** Do not expose Marimo instances to the public internet; use VPNs or SSH tunnels for remote access.
## Detection
### Indicators of Compromise
- **Malicious Domains/Paths:** `huggingface[.]co/spaces/vsccode-modetx` (Note: Typosquat of VS Code).
- **Filenames:** `install-linux.sh`, `kagent` (NKAbuse variant).
- **Network Activity:**
- Outbound connections to Hugging Face Spaces via `curl`.
- Peer-to-peer traffic associated with the NKN (New Kind of Network) protocol.
- WebRTC/ICE/STUN traffic for NAT traversal.
- **Suspicious Commands:** Multiple reverse-shell attempts and rapid enumeration of PostgreSQL or Redis databases via environment variable extraction.
### Detection Methods and Tools
- **Endpoint Monitoring:** Monitor for unauthorized `systemd`, `cron`, or macOS `LaunchAgent` persistence entries.
- **Log Analysis:** Review Marimo server logs for unusual connections to the `/terminal/ws` endpoint from unexpected IP addresses.
## References
- **Vendor Advisory:** hxxps[:]//www[.]sysdig[.]com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface
- **Technical Report:** hxxps[:]//www[.]bleepingcomputer[.]com/news/security/hackers-exploit-marimo-flaw-to-deploy-nkabuse-malware-from-hugging-face/
- **Malware Analysis (NKAbuse):** hxxps[:]//www[.]bleepingcomputer[.]com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/