A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig.
The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. The issue has been addressed in version 0.23.0.
"The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands," Marimo maintainers said in an advisory earlier this week.
"Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification."
In other words, attackers can obtain a full interactive shell on any exposed Marimo instance through a single WebSocket connection without requiring any credentials.
Sysdig said it observed the first exploitation attempt targeting the vulnerability within 9 hours and 41 minutes of it being publicly disclosed, with a credential theft operation executed in minutes, despite there being no proof-of-concept (PoC) code available at the time.
The unknown threat actor behind the activity is said to have connected to the /terminal/ws WebSocket endpoint on a honeypot system and initiated manual reconnaissance to explore the file system and, minutes later, systematically attempted to harvest data from the .env file, as well as search for SSH keys and read various files.
The attacker returned to the honeypot an hour later to access the contents of the .env file and check if other threat actors were active during the time window. No other payloads, like cryptocurrency miners or backdoors, were installed.
"The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment," the cloud security company said. "The attacker connected four times over 90 minutes, with pauses between sessions. This is consistent with a human operator working through a list of targets, returning to confirm findings."
The speed at which newly disclosed flaws are being weaponized indicates that threat actors are closely keeping an eye on vulnerability disclosures and quickly exploiting them during the time between disclosure and patch adoption.This, in turn, has shrunk the time defenders must respond once a vulnerability is publicly announced.
"The assumption that attackers only target widely deployed platforms is wrong. Any internet-facing application with a critical advisory is a target, regardless of its popularity," Sysdig said.
Update
In a new report published on April 16, 2026, Sysdig said the critical Marimo flaw is being exploited to deploy a new variant of a multi-platform threat called NKAbuse that abuses a decentralized, peer-to-peer network connectivity protocol known as NKN for command-and-control.
The cloud security company said it recorded 662 exploit events targeting the vulnerability between April 11 and 14, 2026. The activity originated from 11 unique source IP addresses across 10 countries. Some of the commonly observed post-exploitation actions included -
- Environment variable extraction
- Reverse shell, database enumeration, and lateral movement
- NKAbuse deployment via Hugging Face Spaces
The third operational pattern originated from the IP address ("38.147.173[.]172"), with the attacker using a curl command to drop a shell script hosted on a Hugging Face space named "vsccode-modetx." The shell script dropper is used to launch a binary known as "kagent," an effort to mimic a legitimate Kubernetes artificial intelligence (AI) agent framework of the same name.
It also terminates existing "kagent" instances and establishes persistence on both Linux and macOS systems using a systemd user service, a crontab scheduled task, and macOS LaunchAgent. The "kagent" binary is a Go-based ELF binary and a previously undocumented variant of NKAbuse.
The Sysdig Threat Research Team told The Hacker News that the updated version of the malware supports additional functionality that goes beyond conducting DDoS attacks. This includes "mechanisms for remote command execution and access, as well as integration with decentralized peer-to-peer (P2P) infrastructure via the NKN blockchain. The malware can also function as a sophisticated proxy, supporting protocols such as WebRTC and STUN."
"Developer workstations running notebook platforms are high-value targets: cloud credentials, SSH keys, API tokens, and internal network access," Sysdig said. "An implant on a data scientist's workstation is more valuable than one on a general-purpose server."
CVE-2026-39987 Added to CISA KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on April 23, 2026, added CVE-2026-39987 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by May 7, 2026.
(The story was updated after publication on April 16, 2026, to include additional insights from Sysdig. It was updated again on April 23, 2026, to reflect CISA's addition of the flaw to the KEV catalog.)
