CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace
Three days after disclosure of a critical pre-authorization remote code execution vulnerability in the marimo Python notebook platform, multiple threat actors deployed malware hosted on HuggingFace Spaces. A previously undocumented NKAbuse variant was delivered through a typosquatted HuggingFace Space, utilizing NKN blockchain for command and control. Between April 11-14, 2026, eleven unique source IPs across ten countries generated 662 exploit events. Attack patterns included reverse shell campaigns, credential extraction targeting AWS keys and API tokens, DNS exfiltration, and lateral movement to PostgreSQL and Redis databases via leaked credentials. The malware binary was disguised as a legitimate Kubernetes tool named kagent and implemented persistence through systemd services, crontab entries, and macOS LaunchAgents. This operation demonstrates threat actors specifically targeting AI/ML infrastructure and leveraging trusted platforms for malware distribution.
AI Analysis
Technical Summary
Following disclosure of a critical remote code execution vulnerability in the marimo Python notebook platform, threat actors weaponized this flaw to deploy a blockchain-based botnet via typosquatted HuggingFace Spaces. The malware, an undocumented NKAbuse variant, leveraged the NKN blockchain for command and control. From April 11-14, 2026, eleven unique IPs across ten countries generated 662 exploit events involving reverse shell access, credential theft targeting AWS and API tokens, DNS exfiltration, and lateral movement to PostgreSQL and Redis databases using stolen credentials. The malware binary masqueraded as a legitimate Kubernetes tool called kagent and maintained persistence using systemd services, crontab entries, and macOS LaunchAgents. This operation highlights targeted attacks on AI/ML infrastructure and the use of trusted platforms for malware delivery.
Potential Impact
The vulnerability enabled remote code execution without prior authorization, allowing attackers to deploy malware that facilitated reverse shell access, credential theft (including sensitive AWS keys and API tokens), DNS data exfiltration, and lateral movement within victim networks to critical databases such as PostgreSQL and Redis. The malware's persistence mechanisms increase the difficulty of detection and removal. The abuse of trusted platforms like HuggingFace Spaces for malware hosting could undermine trust in AI/ML infrastructure ecosystems.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should monitor for typosquatted HuggingFace Spaces and suspicious activity related to marimo notebook deployments. Restricting execution privileges and monitoring for persistence mechanisms such as unauthorized systemd services, crontab entries, and LaunchAgents may help mitigate impact. Review and rotate exposed credentials, especially AWS keys and API tokens, if compromise is suspected.
Indicators of Compromise
- cve: CVE-2017-5638
- ip: 111.90.145.139
- ip: 160.30.128.96
- cve: CVE-2026-39987
- ip: 185.225.17.176
- ip: 38.147.173.172
- hash: 1d36de06a6240919189cb46e0bcccc3c
- hash: bdcb5867f73beae89c3fce46ad5185be
- hash: 049c35fa746a8b86c100bf6b348ef6163b215898
- hash: 9c363fbcc86662ce15cee15e5dd16b71b769ceb4
- hash: 25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13
- hash: 27c62a041cc3c88df60dfceb50aa5f2217e1ac2ef9e796d7369e9e1be52ebb64
- hash: f2960805f89990cb28898e892bbdc5a2f86b6089c68f4ab7f2f5e456a8d0c21d
- ip: 120.227.46.184
- ip: 185.187.207.193
- ip: 45.147.97.11
- ip: 60.249.14.39
- ip: 92.208.115.60
- domain: bskke4.dnslog.cn
CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace
Description
Three days after disclosure of a critical pre-authorization remote code execution vulnerability in the marimo Python notebook platform, multiple threat actors deployed malware hosted on HuggingFace Spaces. A previously undocumented NKAbuse variant was delivered through a typosquatted HuggingFace Space, utilizing NKN blockchain for command and control. Between April 11-14, 2026, eleven unique source IPs across ten countries generated 662 exploit events. Attack patterns included reverse shell campaigns, credential extraction targeting AWS keys and API tokens, DNS exfiltration, and lateral movement to PostgreSQL and Redis databases via leaked credentials. The malware binary was disguised as a legitimate Kubernetes tool named kagent and implemented persistence through systemd services, crontab entries, and macOS LaunchAgents. This operation demonstrates threat actors specifically targeting AI/ML infrastructure and leveraging trusted platforms for malware distribution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Following disclosure of a critical remote code execution vulnerability in the marimo Python notebook platform, threat actors weaponized this flaw to deploy a blockchain-based botnet via typosquatted HuggingFace Spaces. The malware, an undocumented NKAbuse variant, leveraged the NKN blockchain for command and control. From April 11-14, 2026, eleven unique IPs across ten countries generated 662 exploit events involving reverse shell access, credential theft targeting AWS and API tokens, DNS exfiltration, and lateral movement to PostgreSQL and Redis databases using stolen credentials. The malware binary masqueraded as a legitimate Kubernetes tool called kagent and maintained persistence using systemd services, crontab entries, and macOS LaunchAgents. This operation highlights targeted attacks on AI/ML infrastructure and the use of trusted platforms for malware delivery.
Potential Impact
The vulnerability enabled remote code execution without prior authorization, allowing attackers to deploy malware that facilitated reverse shell access, credential theft (including sensitive AWS keys and API tokens), DNS data exfiltration, and lateral movement within victim networks to critical databases such as PostgreSQL and Redis. The malware's persistence mechanisms increase the difficulty of detection and removal. The abuse of trusted platforms like HuggingFace Spaces for malware hosting could undermine trust in AI/ML infrastructure ecosystems.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should monitor for typosquatted HuggingFace Spaces and suspicious activity related to marimo notebook deployments. Restricting execution privileges and monitoring for persistence mechanisms such as unauthorized systemd services, crontab entries, and LaunchAgents may help mitigate impact. Review and rotate exposed credentials, especially AWS keys and API tokens, if compromise is suspected.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface"]
- Adversary
- null
- Pulse Id
- 69e09f9d80e986921250a6f3
- Threat Score
- null
Indicators of Compromise
Cve
| Value | Description | Copy |
|---|---|---|
cveCVE-2017-5638 | — | |
cveCVE-2026-39987 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip111.90.145.139 | — | |
ip160.30.128.96 | — | |
ip185.225.17.176 | — | |
ip38.147.173.172 | — | |
ip120.227.46.184 | — | |
ip185.187.207.193 | — | |
ip45.147.97.11 | — | |
ip60.249.14.39 | — | |
ip92.208.115.60 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash1d36de06a6240919189cb46e0bcccc3c | — | |
hashbdcb5867f73beae89c3fce46ad5185be | — | |
hash049c35fa746a8b86c100bf6b348ef6163b215898 | — | |
hash9c363fbcc86662ce15cee15e5dd16b71b769ceb4 | — | |
hash25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13 | — | |
hash27c62a041cc3c88df60dfceb50aa5f2217e1ac2ef9e796d7369e9e1be52ebb64 | — | |
hashf2960805f89990cb28898e892bbdc5a2f86b6089c68f4ab7f2f5e456a8d0c21d | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbskke4.dnslog.cn | — |
Threat ID: 69e0be2682d89c981f771daa
Added to database: 4/16/2026, 10:47:02 AM
Last enriched: 5/16/2026, 8:52:05 AM
Last updated: 6/2/2026, 6:01:16 AM
Views: 450
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.