Attackers Exploit CVE-2026-39987 to Deploy Blockchain-Based Backdoor via Hugging Face
A critical vulnerability identified as CVE-2026-39987 has been discovered in the marimo Python notebook platform, enabling unauthenticated remote code execution. This flaw is actively exploited by attackers to install a blockchain-powered backdoor on developer systems.
The vulnerability was publicly disclosed on April 8, 2026, under advisory GHSA-2679-6mx9-h9xc. Within less than ten hours, the first exploitation attempts were recorded. Between April 11 and April 14, 2026, attackers from 11 unique IP addresses across 10 countries initiated 662 exploit events targeting exposed marimo instances. This rapid escalation indicates a coordinated effort by multiple threat actors to exploit the vulnerability shortly after its disclosure.
Researchers at the Sysdig Threat Research Team (TRT) observed four primary post-exploitation activities:
1. Credential Harvesting: Attackers extracted sensitive information such as AWS access keys, database connection strings, and OpenAI API tokens from environment variables.
2. Reverse Shell Deployment: Malicious actors established reverse shells to maintain persistent access to compromised systems.
3. DNS-Based Data Exfiltration: Data was exfiltrated using DNS queries, allowing attackers to bypass traditional security measures.
4. Deployment of NKAbuse Variant: A new variant of the NKAbuse malware was deployed, utilizing a blockchain-based command-and-control (C2) infrastructure.
A particularly concerning aspect of this campaign is the use of a typosquatted Hugging Face Space named vsccode-modetx, designed to mimic a legitimate Visual Studio Code tool. Attackers executed a simple curl command against a marimo endpoint to download and execute a shell dropper, which then retrieved the kagent binary from the fraudulent Hugging Face repository. At the time of the attack, the Hugging Face domain had no malicious flags across 16 reputation sources, allowing the payload to evade standard security filters.
The kagent binary is a stripped, UPX-packed Go ELF file that expands from 4.3 MB to 15.5 MB upon unpacking. It communicates with its C2 server over the NKN blockchain network, utilizing decentralized relay nodes. This method obfuscates the C2 traffic, blending it with normal blockchain activity and making detection challenging for conventional security tools.
To establish persistence, the dropper script employs three methods:
1. Systemd User Service: Creates a systemd user service at `~/.config/systemd/user/kagent.service`.
2. Crontab Entry: Adds an `@reboot` entry to the crontab.
3. macOS LaunchAgent: Installs a LaunchAgent at `~/Library/LaunchAgents/com.kagent.plist`.
All output is redirected to `~/.kagent/install.log`, concealing activity from standard process monitoring tools. Defenders must inspect all three locations to fully remove the implant.
This 2026 variant of NKAbuse differs from its predecessor by targeting AI developer tools through a newly discovered vulnerability, utilizing Hugging Face for payload delivery, and disguising the binary as a legitimate Kubernetes agent named kagent. In contrast, the original NKAbuse exploited a six-year-old Apache Struts flaw against Linux desktops and IoT devices.
Recommendations for Defenders:
– Update marimo: Immediately upgrade to version 0.23.0 or later to mitigate the vulnerability, as it requires no authentication and is actively exploited.
– Inspect for Indicators of Compromise (IoCs): Search for the `~/.kagent/` directory, the `kagent.service` systemd entry, and any running kagent processes on systems that have run marimo.
– Monitor Network Traffic: Be vigilant for unusual outbound connections, especially those associated with the NKN blockchain network, which may indicate C2 communication.
– Review Hugging Face Dependencies: Scrutinize any Hugging Face repositories or Spaces integrated into your development environment to ensure their legitimacy.
By implementing these measures, organizations can enhance their defenses against this sophisticated attack vector and protect their development environments from compromise.
