Hackers are actively exploiting CVE-2026-39987, a critical remote code execution vulnerability in the Marimo reactive Python notebook, to deploy a new variant of NKAbuse malware. Attackers created a typosquatted Hugging Face Space mimicking VS Code to host a dropper script and malicious binary named 'kagent'. The dropper establishes persistence via systemd, cron, or macOS LaunchAgent. The NKAbuse variant functions as a RAT using NKN decentralized P2P networking for stealthy command-and-control. Additional attacks include reverse-shell attempts, lateral movement via PostgreSQL credential theft, and Redis database enumeration. Users should upgrade Marimo to version 0.23.0 or later immediately, or block the '/terminal/ws' endpoint.
Table of contents
Related Articles:Sort: