CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace
A critical pre-authorization remote code execution vulnerability (CVE-2026-39987) in the marimo Python notebook platform was weaponized by multiple threat actors shortly after disclosure. Attackers deployed a previously undocumented NKAbuse malware variant via a typosquatted HuggingFace Space, leveraging the NKN blockchain for command and control. Between April 11-14, 2026, eleven unique IPs across ten countries generated 662 exploit events involving reverse shells, credential theft targeting AWS keys and API tokens, DNS exfiltration, and lateral movement to PostgreSQL and Redis databases. The malware masqueraded as a legitimate Kubernetes tool named kagent and established persistence through systemd services, crontab entries, and macOS LaunchAgents. This campaign highlights targeted attacks on AI/ML infrastructure using trusted platforms for malware distribution.
AI Analysis
Technical Summary
Following disclosure of CVE-2026-39987, a critical pre-auth remote code execution flaw in the marimo Python notebook platform, multiple threat actors exploited this vulnerability to deploy NKAbuse malware variants hosted on typosquatted HuggingFace Spaces. The malware used the NKN blockchain for command and control and executed a range of attack techniques including reverse shell access, credential harvesting of AWS keys and API tokens, DNS exfiltration, and lateral movement to PostgreSQL and Redis databases using leaked credentials. The malicious binary was disguised as a Kubernetes tool named kagent and implemented persistence mechanisms across Linux and macOS systems. This operation demonstrates adversaries targeting AI/ML environments and abusing trusted open platforms for malware delivery.
Potential Impact
Exploitation of CVE-2026-39987 enabled remote code execution without prior authorization, allowing attackers to deploy malware that facilitates reverse shell access, credential theft (including AWS keys and API tokens), data exfiltration via DNS, and lateral movement within networks to critical databases such as PostgreSQL and Redis. The malware's persistence mechanisms increase the difficulty of detection and removal. The use of trusted platforms like HuggingFace Spaces for malware hosting may increase the likelihood of successful infection. The campaign affected multiple countries and involved hundreds of exploit events, indicating a broad and active threat.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the meantime, organizations should monitor for indicators of compromise such as connections to known malicious IPs and domains, presence of suspicious binaries named kagent, and unusual persistence mechanisms like unauthorized systemd services, crontab entries, or macOS LaunchAgents. Restrict access to vulnerable marimo notebook instances and validate the authenticity of HuggingFace Spaces before use. Since no official patch information is provided, follow vendor advisories closely for updates.
Indicators of Compromise
- cve: CVE-2017-5638
- ip: 111.90.145.139
- ip: 160.30.128.96
- cve: CVE-2026-39987
- ip: 185.225.17.176
- ip: 38.147.173.172
- hash: 1d36de06a6240919189cb46e0bcccc3c
- hash: bdcb5867f73beae89c3fce46ad5185be
- hash: 049c35fa746a8b86c100bf6b348ef6163b215898
- hash: 9c363fbcc86662ce15cee15e5dd16b71b769ceb4
- hash: 25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13
- hash: 27c62a041cc3c88df60dfceb50aa5f2217e1ac2ef9e796d7369e9e1be52ebb64
- hash: f2960805f89990cb28898e892bbdc5a2f86b6089c68f4ab7f2f5e456a8d0c21d
- ip: 120.227.46.184
- ip: 185.187.207.193
- ip: 45.147.97.11
- ip: 60.249.14.39
- ip: 92.208.115.60
- domain: bskke4.dnslog.cn
CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace
Description
A critical pre-authorization remote code execution vulnerability (CVE-2026-39987) in the marimo Python notebook platform was weaponized by multiple threat actors shortly after disclosure. Attackers deployed a previously undocumented NKAbuse malware variant via a typosquatted HuggingFace Space, leveraging the NKN blockchain for command and control. Between April 11-14, 2026, eleven unique IPs across ten countries generated 662 exploit events involving reverse shells, credential theft targeting AWS keys and API tokens, DNS exfiltration, and lateral movement to PostgreSQL and Redis databases. The malware masqueraded as a legitimate Kubernetes tool named kagent and established persistence through systemd services, crontab entries, and macOS LaunchAgents. This campaign highlights targeted attacks on AI/ML infrastructure using trusted platforms for malware distribution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Following disclosure of CVE-2026-39987, a critical pre-auth remote code execution flaw in the marimo Python notebook platform, multiple threat actors exploited this vulnerability to deploy NKAbuse malware variants hosted on typosquatted HuggingFace Spaces. The malware used the NKN blockchain for command and control and executed a range of attack techniques including reverse shell access, credential harvesting of AWS keys and API tokens, DNS exfiltration, and lateral movement to PostgreSQL and Redis databases using leaked credentials. The malicious binary was disguised as a Kubernetes tool named kagent and implemented persistence mechanisms across Linux and macOS systems. This operation demonstrates adversaries targeting AI/ML environments and abusing trusted open platforms for malware delivery.
Potential Impact
Exploitation of CVE-2026-39987 enabled remote code execution without prior authorization, allowing attackers to deploy malware that facilitates reverse shell access, credential theft (including AWS keys and API tokens), data exfiltration via DNS, and lateral movement within networks to critical databases such as PostgreSQL and Redis. The malware's persistence mechanisms increase the difficulty of detection and removal. The use of trusted platforms like HuggingFace Spaces for malware hosting may increase the likelihood of successful infection. The campaign affected multiple countries and involved hundreds of exploit events, indicating a broad and active threat.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the meantime, organizations should monitor for indicators of compromise such as connections to known malicious IPs and domains, presence of suspicious binaries named kagent, and unusual persistence mechanisms like unauthorized systemd services, crontab entries, or macOS LaunchAgents. Restrict access to vulnerable marimo notebook instances and validate the authenticity of HuggingFace Spaces before use. Since no official patch information is provided, follow vendor advisories closely for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface"]
- Adversary
- null
- Pulse Id
- 69e09f9d80e986921250a6f3
- Threat Score
- null
Indicators of Compromise
Cve
| Value | Description | Copy |
|---|---|---|
cveCVE-2017-5638 | — | |
cveCVE-2026-39987 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip111.90.145.139 | — | |
ip160.30.128.96 | — | |
ip185.225.17.176 | — | |
ip38.147.173.172 | — | |
ip120.227.46.184 | — | |
ip185.187.207.193 | — | |
ip45.147.97.11 | — | |
ip60.249.14.39 | — | |
ip92.208.115.60 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash1d36de06a6240919189cb46e0bcccc3c | — | |
hashbdcb5867f73beae89c3fce46ad5185be | — | |
hash049c35fa746a8b86c100bf6b348ef6163b215898 | — | |
hash9c363fbcc86662ce15cee15e5dd16b71b769ceb4 | — | |
hash25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13 | — | |
hash27c62a041cc3c88df60dfceb50aa5f2217e1ac2ef9e796d7369e9e1be52ebb64 | — | |
hashf2960805f89990cb28898e892bbdc5a2f86b6089c68f4ab7f2f5e456a8d0c21d | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbskke4.dnslog.cn | — |
Threat ID: 69e0be2682d89c981f771daa
Added to database: 4/16/2026, 10:47:02 AM
Last enriched: 4/16/2026, 11:02:03 AM
Last updated: 4/16/2026, 8:22:27 PM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.