Critical Hugging Face Vulnerability CVE-2026-39987 Lets Attackers Spread Backdoors
Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2026-39987, in the marimo framework has been actively exploited. Attackers are leveraging this flaw to deploy a new variant of...
Key Takeaways
- A critical remote code execution (RCE) vulnerability, CVE-2026-39987, in the marimo framework has been actively exploited.
- Attackers are leveraging this flaw to deploy a new variant of the NKAbuse malware, dubbed “kagent,” via a malicious Hugging Face Space.
- The vulnerability allows unauthenticated RCE and has a CVSS score of 9.8 (Critical), enabling attackers to compromise AI developer workstations and exfiltrate sensitive cloud credentials.
- The Sysdig TRT identified rapid weaponization and a multi-actor campaign targeting exposed marimo instances, with a patch available in marimo version 0.23.0.
Critical Hugging Face Vulnerability Poses Backdoor Threat to AI Workstations
A severe unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2026-39987, impacting the marimo framework, is being actively exploited by threat actors to distribute a new variant of the NKAbuse malware. This critical flaw, with a CVSS score of 9.8, enables attackers to execute arbitrary code without authentication, making it a highly dangerous entry point for compromising AI developer environments.
Table Of Content
Rapid Exploitation and Multi-Actor Campaign
The vulnerability, detailed in GitHub advisory GHSA-2679-6mx9-h9xc, was publicly disclosed on April 8, 2026. Within a mere 9 hours and 41 minutes, evidence of active exploitation emerged. From April 11 to April 14, 2026, researchers observed a concentrated attack campaign, with threat actors originating from 11 distinct IP addresses across 10 countries initiating 662 exploit attempts against vulnerable marimo instances. This rapid escalation from initial scanning to a full-blown, multi-actor assault underscores the critical nature of the vulnerability and the swiftness with which adversaries weaponize newly disclosed flaws, particularly those targeting AI developer infrastructure.
Deployment of NKAbuse Variant via Hugging Face
Researchers at the Sysdig TRT meticulously tracked these attacks, documenting four primary post-exploitation tactics: credential harvesting, attempts to establish reverse shells, DNS-based data exfiltration, and the deployment of a previously unseen variant of the NKAbuse malware. The speed of these operations confirmed that multiple, independent threat actors were simultaneously targeting the vulnerability shortly after its public release.
A particularly alarming discovery was the use of a typosquatted Hugging Face Space, named “vsccode-modetx,” to deliver a new Go-based backdoor called “kagent.” This malicious Space was designed to impersonate a legitimate VS Code tool, exploiting the trust associated with the Hugging Face platform. Attackers executed a simple curl command against a vulnerable marimo endpoint, which then downloaded and executed a shell dropper. This dropper, in turn, retrieved the kagent binary onto the victim’s system. Critically, the Hugging Face domain hosting the malicious payload showed no adverse reputation across 16 different security sources at the time of the attack, allowing the malware to bypass conventional security defenses undetected.
Broader Impact and Persistence
The compromise extended beyond individual marimo notebooks. Attackers rapidly leveraged initial access to pivot to connected PostgreSQL databases and Redis instances, extracting sensitive credentials from environment variables. In one observed incident, an operator exfiltrated AWS access keys, database connection strings, and OpenAI API tokens, illustrating how a single exploited marimo instance could serve as a gateway to wider cloud infrastructure compromise.
NKAbuse Variant and Persistence Tactics
The “kagent” binary is a stripped, UP
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.