Marimo notebook RCE weaponized to drop NKAbuse RAT from Hugging Face Spaces

A critical remote code execution flaw in the Marimo reactive Python notebook (CVE-2026-39987) is being exploited within hours of public disclosure, with Sysdig tracking credential theft campaigns and a fresh NKAbuse variant delivered through Hugging Face Spaces. Attackers stood up a typosquatted Space named vsccode-modetx hosting an install-linux.sh dropper and a kagent binary masquerading as a legitimate Kubernetes AI tool. Because Hugging Face is a trusted HTTPS endpoint, the curl-based staging blends into normal traffic and evades reputation-based detection.

The payload is a previously undocumented evolution of NKAbuse, the malware family Kaspersky first flagged in 2023 for using the decentralized NKN peer-to-peer network for command and control. This variant drops the DDoS focus and operates as a remote access trojan, executing shell commands and tunneling output back through NKN client protocol with WebRTC, ICE, and STUN for NAT traversal. Persistence is established via systemd, cron, or macOS LaunchAgents depending on the host.

Beyond the Hugging Face campaign, Sysdig observed a German operator attempting 15 reverse-shell variants before pivoting to PostgreSQL via stolen environment-variable credentials, and a Hong Kong actor looting Redis session tokens across all 16 databases. Users should upgrade Marimo to 0.23.0 or later; where that is blocked, the /terminal/ws endpoint must be firewalled or disabled entirely.