Attackers Exploit CVE-2026-39987 to Deploy NKAbuse Malware via Hugging Face

Attackers Exploit CVE-2026-39987 to Deploy NKAbuse Malware via Hugging Face

First seen 16 Apr 2026, 17:31 UTC BleepingcomputerGbhackersCybersecuritynewsScworldwww.sysdig.com 79% similarity 72.6

Article Content

Browse articles
ThreatCluster

A critical vulnerability in the marimo Python notebook platform, tracked as CVE-2026-39987, has been actively exploited to deploy a new variant of NKAbuse malware. The flaw allows for remote code execution without authentication, enabling attackers to leverage Hugging Face Spaces for malware distribution. Exploitation began shortly after the vulnerability was disclosed on April 9, 2026, with attacks reported as early as April 11. Sysdig's research identified 11 unique IP addresses from 10 countries conducting 662 exploit events, including credential theft and lateral movement to PostgreSQL and Redis databases. The malware, which utilizes the NKN blockchain for command and control, poses a significant threat to developer environments. Attackers have employed various techniques, including typosquatting legitimate applications and using dropper scripts to install malware. The situation remains dynamic, with ongoing monitoring and evolving tactics observed among threat actors.

Key Points: • CVE-2026-39987 allows remote code execution in marimo without authentication. • Attackers are using Hugging Face Spaces to host and distribute NKAbuse malware. • Over 660 exploit events have been recorded across multiple countries since April 11.

ThreatCluster AI

Timeline

2026-04-09
CVE-2026-39987 published
2026-04-11
First exploitation of CVE-2026-39987 observed
2026-04-12
Attacks leveraging Hugging Face Spaces reported
2026-04-13
First public PoC released
2026-04-14
Ongoing exploitation activity recorded

Community

Browse all →