Hackers Use Marimo Flaw to Deploy NKAbuse via Hugging Face
⚠️Researchers observed attackers exploiting a critical Marimo remote code execution flaw (CVE-2026-39987) to deploy a new NKAbuse variant hosted on Hugging Face Spaces. Attack activity began within hours of public disclosure, with a Space named "vsccode-modetx" serving a dropper script and a malicious binary labeled kagent. The dropper retrieves and runs the payload via curl, then installs persistence via systemd, cron, or macOS LaunchAgent, while Spaces' legitimate HTTPS hosting helps evade detection. Operators are urged to upgrade to version 0.23.0 or block the '/terminal/ws' endpoint if upgrades are not possible.
