![\"Hackers](\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2025\/09\/09\/hacker.jpg\")
<\/p>\n<\/p>\n
Hackers are exploiting a critical vulnerability in Marimo reactive Python notebook to deploy a new variant of NKAbuse malware hosted on Hugging Face Spaces.<\/p>\n
Attacks leveraging the remote code execution flaw (CVE-2026-39987) started last week<\/a> for credential theft, less than 10 hours after technical details were disclosed publicly, according to data from cloud-security company Sysdig.<\/p>\n Sysdig researchers continued to monitor activity related to the security issue identified additional attacks, including a campaign that started on April 12 that abuses the Hugging Face Spaces platform for showcasing AI applications.<\/p>\n Hugging Face serves as an AI development and machine learning-focused platform, acting as a hub for AI assets such as models, datasets, code, and tools, shared among the community.<\/p>\n Hugging Face Spaces lets users deploy and share interactive web apps directly from a Git repository, typically for demos, tools, or experiments around AI.<\/p>\n In the attacks that Sysdig observed, the attacker created a Space named vsccode-modetx<\/em> (an intentional typosquat for VS Code) that hosts a dropper script (install-linux.sh) and a malware binary with the name kagent<\/em>, also an attempt to mimic a legitimate Kubernetes AI agent tool.<\/p>\n After exploiting the Marimo RCE, the threat actor ran a curl command to download the script from Hugging Face and execute it. Because Hugging Face Spaces is a legitimate HTTPS endpoint with a clean reputation, it is less likely to trigger alerts.<\/p>\n The dropper script downloads the kagent binary, installs it locally, and sets up persistence via systemd, cron, or macOS LaunchAgent.<\/p>\n According to the researchers, the payload is a previously undocumented variant of the DDoS-focused malware NKAbuse. Kaspersky researchers reported the malware<\/a> in late 2023 and highlighted its novel abuse of the NKN (New Kind of Network) decentralized peer-to-peer network technology for data exchange.<\/p>\n Sysdig says that the new variant functions as a remote access trojan that can execute shell commands on the infected system and send the output back to the operator.<\/p>\n “The binary references NKN Client Protocol, WebRTC\/ICE\/STUN for NAT traversal, proxy management, and structured command handling – matching the NKAbuse family initially documented by Kaspersky in December 2023,” mentions Sysdig in the report<\/a>.<\/p>\n Sysdig also spotted other notable attacks exploiting CVE-2026-39987, including a Germany-based operator who attempted 15 reverse-shell techniques across multiple ports.<\/p>\n They then pivoted to lateral movement by extracting database credentials from environment variables and connecting to PostgreSQL, where they rapidly enumerated schemas, tables, and configuration data.<\/p>\n Another actor from Hong Kong used stolen .env credentials to target a Redis server, systematically scanning all 16 databases and dumping stored data, including session tokens and application cache entries.<\/p>\n The overall takeaway is that exploitation of CVE-2026-39987 in the wild has increased in volume and tactics, and it’s crucial that users upgrade to version 0.23.0 or later immediately.<\/p>\n If upgrading is not possible, it is recommended to block external access to the ‘\/terminal\/ws’ endpoint via a firewall, or block it entirely.<\/p>\n\n![\"Hackers](\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/April\/comp.jpg\")
\n![\"Hackers](\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/April\/redis.jpg\")