A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig.
The vulnerability, identified as CVE-2026-39987 with a CVSS score of 9.3, is a pre-authenticated remote code execution flaw that affects all versions of Marimo up to and including 0.20.4. The issue was resolved in version 0.23.0.
The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.
In other words, attackers can obtain a full interactive shell on any exposed Marimo instance through a single WebSocket connection without requiring any credentials.
Sysdig reported that the first exploitation attempt targeting this vulnerability was observed within 9 hours and 41 minutes of its public disclosure. A credential theft operation was executed in minutes, despite no proof-of-concept (PoC) code being available at the time.
The unknown threat actor connected to the /terminal/ws WebSocket endpoint on a honeypot system and initiated manual reconnaissance to explore the file system. Within minutes, they systematically attempted to harvest data from the .env file, search for SSH keys, and read various files.
The attacker returned to the honeypot an hour later to access the contents of the .env file and check if other threat actors were active during that time. No additional payloads, such as cryptocurrency miners or backdoors, were installed.
The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment. The attacker connected four times over 90 minutes, with pauses between sessions. This is consistent with a human operator working through a list of targets, returning to confirm findings.
The speed at which newly disclosed flaws are being weaponized indicates that threat actors are closely monitoring vulnerability disclosures and quickly exploiting them during the window between disclosure and patch adoption. This has reduced the time defenders have to respond once a vulnerability is publicly announced.
The assumption that attackers only target widely deployed platforms is wrong. Any internet-facing application with a critical advisory is a target, regardless of its popularity.
Update: NKAbuse Exploitation and CISA KEV Addition
In a new report published on April 16, 2026, Sysdig stated that the critical Marimo flaw is being exploited to deploy a new variant of a multi-platform threat called NKAbuse, which abuses a decentralized, peer-to-peer network connectivity protocol known as NKN for command-and-control.
Sysdig recorded 662 exploit events targeting the vulnerability between April 11 and 14, 2026. The activity originated from 11 unique source IP addresses across 10 countries. Commonly observed post-exploitation actions included:
- Environment variable extraction
- Reverse shell, database enumeration, and lateral movement
- NKAbuse deployment via Hugging Face Spaces
The third operational pattern originated from the IP address 38.147.173[.]172. The attacker used a curl command to drop a shell script hosted on a Hugging Face space named "vsccode-modetx". The shell script dropper launched a binary known as "kagent", which mimics a legitimate Kubernetes AI agent framework of the same name. It also terminates existing "kagent" instances and establishes persistence on both Linux and macOS systems using a systemd user service, a crontab scheduled task, and macOS LaunchAgent. The "kagent" binary is a Go-based ELF binary and a previously undocumented variant of NKAbuse.
According to the Sysdig Threat Research Team, the updated version of the malware supports additional functionality beyond DDoS attacks, including mechanisms for remote command execution and access, as well as integration with decentralized peer-to-peer infrastructure via the NKN blockchain. The malware can also function as a sophisticated proxy, supporting protocols such as WebRTC and STUN.
Developer workstations running notebook platforms are high-value targets: cloud credentials, SSH keys, API tokens, and internal network access. An implant on a data scientist's workstation is more valuable than one on a general-purpose server.
On April 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-39987 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by May 7, 2026.
