Back

Attackers Exploit CVE-2026-39987 to Deploy NKAbuse Malware via Hugging Face

Severity: High (Score: 72.6)

Sources: www.sysdig.com, Gbhackers, Bleepingcomputer, Cybersecuritynews

Summary

A critical vulnerability in the marimo Python notebook platform, tracked as CVE-2026-39987, has been actively exploited to deploy a new variant of NKAbuse malware. The flaw allows for remote code execution without authentication, enabling attackers to leverage Hugging Face Spaces for malware distribution. Exploitation began shortly after the vulnerability was disclosed on April 9, 2026, with attacks reported as early as April 11. Sysdig's research identified 11 unique IP addresses from 10 countries conducting 662 exploit events, including credential theft and lateral movement to PostgreSQL and Redis databases. The malware, which utilizes the NKN blockchain for command and control, poses a significant threat to developer environments. Attackers have employed various techniques, including typosquatting legitimate applications and using dropper scripts to install malware. The situation remains dynamic, with ongoing monitoring and evolving tactics observed among threat actors. Key Points: • CVE-2026-39987 allows remote code execution in marimo without authentication. • Attackers are using Hugging Face Spaces to host and distribute NKAbuse malware. • Over 660 exploit events have been recorded across multiple countries since April 11.

Key Entities

  • DDoS (attack_type)
  • Malware (attack_type)
  • Australia (country)
  • Germany (country)
  • Malaysia (country)
  • CVE-2017-5638 (cve)
  • CVE-2026-39987 (cve)
  • CWE-287 - Improper Authentication (cwe)
  • CWE-94 - Code Injection (cwe)
  • bskke4.dnslog.cn (domain)
  • dnslog.cn (domain)
  • hf.space (domain)
  • 111.90.145.139 (ipv4)
  • 203.10.98.186 (ipv4)
  • 38.147.173.172 (ipv4)
  • 92.208.115.60 (ipv4)
  • NKAbuse (malware)
  • bdcb5867f73beae89c3fce46ad5185be (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Hugging Face Spaces (platform)
  • HuggingFace Spaces (platform)
  • Kubernetes (platform)
  • Linux (platform)
  • MacOS (platform)
  • 049c35fa746a8b86c100bf6b348ef6163b215898 (sha1)
  • 25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13 (sha256)
  • Curl (tool)
  • Netcat (tool)
  • wget (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed