Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face

HACKERS EXPLOIT MARIMO FLAW TO DEPLOY NKABUSE MALWARE FROM HUGGING FACE

1. Overview

• A critical vulnerability in the Marimo reactive Python notebook is being exploited to deploy a new NKAbuse malware variant hosted on Hugging Face Spaces.
• The flaw, identified as CVE-2026-39987, enables pre-auth remote code execution and has seen active exploitation.
• Attackers leverage Hugging Face Spaces, a legitimate AI development platform, as a delivery vector to hide malware and avoid triggering typical security alerts.
• The dropper script and payload are hosted in a Space that imitates legitimate tooling, increasing the likelihood of successful execution.
• The end result is a remote access Trojan that can run shell commands on infected hosts and exfiltrate outputs back to operators.

1. Timeline and Context

• April 12, 2026: Initial campaigns begin to leverage the Marimo RCE flaw, with observed use of Hugging Face Spaces to host the dropper and a malware binary.
• April 16, 2026: Public disclosures of the vulnerability details coincide with a surge in exploitation activity across multiple actors.
• December 2023 and onward: Researchers previously documented the NKAbuse family, including its use of the New Kind of Network (NKN) for data exchange and stealthy communications.
• The observed activity includes a blend of pre-auth exploitation, persistence maneuvers, and data-like interactions aimed at masking malicious behavior within legitimate services.

1. Attack Surface and Vectors

• Marimo RCE vulnerability (CVE-2026-39987) serves as the initial foothold, allowing a threat actor to run arbitrary code on the affected system.
• Hugging Face Spaces provides an HTTPS endpoint with a credible reputation, reducing the likelihood that security controls flag the activity.
• A Space named in the activity, vsccode-modetx, uses a deliberate typosquat to evoke a familiar software tool while hosting malicious components.
• The delivery chain includes a dropper script (install-linux.sh) and a malware binary named kagent, designed to resemble legitimate components associated with container orchestration tooling.

1. The Dropper and Initial Payload

• After successful exploitation, the attacker runs a curl command to fetch the install-linux.sh dropper from the compromised Hugging Face Space and execute it.
• The dropper proceeds to download the kagent binary, install it locally, and establish persistence via common mechanisms such as systemd on Linux, cron jobs, or LaunchAgent on macOS.
• The approach relies on legitimate system features to maintain execution across reboots and user sessions, complicating detection.

1. The NKAbuse Variant and Capabilities

• The payload is a previously undocumented NKAbuse variant with ties to DDoS-focused families, expanding into a broader remote access role.
• Functional aspects include the ability to execute shell commands on the infected host and relay command outputs back to operators.
• The binary references several networking and traversal components, including the NKN Client Protocol, WebRTC/ICE/STUN for NAT traversal, and proxy management, aligning with the NKAbuse family’s characteristic communications model.

1. Notable Attacks and Actors

• Germany-based operator: Attempted around 15 reverse-shell techniques across multiple ports, followed by lateral movement to fetch credentials from environment variables and connect to PostgreSQL to enumerate schemas, tables, and configurations.
• Hong Kong-based actor: Used stolen environment credentials to target a Redis server, scanning all 16 databases and dumping stored data such as session tokens and application cache entries.
• These actions illustrate broader tactics beyond initial compromise, including credential access, database targeting, and data exfiltration.

1. Indicators of Compromise and Artifacts

• Dropper script: install-linux.sh downloaded from a Hugging Face Space, then executed to fetch the kagent binary.
• Malware binary: kagent, used as the primary payload and described as part of the NKAbuse family’s evolving variants.
• Persistence mechanisms: persistence established via system scheduling and agent-like processes (systemd, cron, LaunchAgent) to maintain control.
• Network behavior: references to NKN Client Protocol and WebRTC/ICE/STUN for NAT traversal, signaling a blend of traditional C2 channels with decentralized data exchange concepts.

1. Platform and Ecosystem Context

• Hugging Face Spaces: a platform for hosting interactive AI demos and apps, used here as a credible delivery channel for malicious content.
• Marimo: a reactive Python notebook environment that, when misconfigured or vulnerable, can be weaponized to run code remotely.
• NKAbuse lineage: a malware family with roots in DDoS-focused activity and evolving capabilities for remote command execution and stealthy communications through decentralized networks.

1. Related Observations and Broader Trends

• The exploitation of CVE-2026-39987 in real-world campaigns appears to be increasing, with attackers combining pre-auth RCE with legitimate cloud-hosted assets to reduce detection risk.
• Campaigns demonstrate a shift toward using trusted external platforms as initial footholds, then delivering modular payloads that emphasize persistence, command execution, and data exposure.
• Multiple actors leverage credential leakage and environment variables to move laterally or access databases, underscoring the value of protecting sensitive configuration data.

1. Closing Notes and Takeaways

• The Marimo flaw and its exploitation through Hugging Face Spaces represent a notable convergence of vulnerability chains, supply-chain-like delivery, and traditional post-exploitation techniques.
• The NKAbuse variant observed in this campaign reinforces the need to monitor for unusual combinations of dropper scripts, decoy spaces, and decentralized-network-like payloads.
• The ongoing activity across different geographic actors and targets highlights the evolving tactics used to conceal malware delivery and expand control over compromised systems.