Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face

Attackers are actively exploiting CVE-2026-39987, a critical RCE vulnerability in Marimo Python notebooks, to deploy NKAbuse malware hosted on Hugging Face. The malware acts as a RAT with credential theft and lateral movement capabilities. Exploitation started within 10 hours of disclosure across multiple threat actors.

CRITICALAdvisoryApr 18, 2026

Action required

Immediately hunt for Marimo notebook execution in your environment, block known Hugging Face Space IOCs hosting NKAbuse, and scan for signs of credential theft and lateral movement on compromised systems.

Affected products

MarimoHugging Face SpacesNKAbuseHugging FaceSysdig

CVE IDs

CVE-2026-39987

Linked articles

Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face

Source links

https://www.bleepingcomputer.com/news/security/hackers-exploit-marimo-flaw-to-deploy-nkabuse-malware-from-hugging-face/