Marimo AI Notebook RCE CVE-2026-39987 Exploited at Scale — 662 Events in Three Days, NKAbuse Malware Deployed

CVE-2026-39987, a pre-authentication remote code execution vulnerability in the Marimo Python notebook, has moved from initial exploitation to sustained mass attack. Sysdig’s Threat Research Team recorded 662 exploitation events between April 11 and 14, 2026 — within 72 hours of public disclosure — with attackers completing credential theft from compromised environments in under three minutes. The primary malware payload observed in exploitation campaigns is NKAbuse, a multi-platform threat that uses the decentralised NKN (New Kind of Network) peer-to-peer protocol for command and control, making traditional domain-based C2 blocking ineffective.

The Vulnerability

The /terminal/ws WebSocket endpoint in Marimo provides an interactive PTY shell to the process running the notebook server. Unlike every other protected endpoint in Marimo, this endpoint performs no authentication check before accepting the connection — it only validates the running mode and platform support. An unauthenticated attacker who can reach the server over the network issues a single HTTP upgrade to WebSocket and immediately receives root-equivalent interactive shell access.

The vulnerability affects all Marimo versions up to and including 0.20.4. Version 0.23.0 introduces authentication validation on the terminal endpoint. The severity (CVSS 9.3) reflects the no-credential, no-interaction network attack vector.

Exploitation at Scale

Sysdig’s production honeypots were first hit within 9 hours and 41 minutes of public disclosure — before any public proof-of-concept code had been released. Attackers were constructing working exploits directly from the advisory.

Over the three days following disclosure, Sysdig observed:

• 662 exploitation events targeting the endpoint across monitored environments
• Credential harvesting completed in under 3 minutes from the point of initial shell access — attackers moved immediately to extract environment variables, cloud credentials, SSH private keys, and configuration files
• Multiple distinct threat actor clusters identified by their post-exploitation tooling and behaviour, indicating the vulnerability attracted opportunistic attackers, not a single organised group

NKAbuse Payload

The most commonly observed malware deployment across Marimo exploitation sessions is NKAbuse, a Go-based multi-platform backdoor that uses the NKN decentralised P2P protocol for command and control. NKN is a legitimate blockchain-based network intended for distributed communications. NKAbuse abuses it to route C2 traffic without relying on attacker-controlled domains or IP addresses.

This C2 mechanism makes conventional blocking difficult: there is no domain to sinkhole, no fixed IP to block at the perimeter, and the traffic pattern resembles legitimate P2P applications. Detection requires behavioural signals — unexpected outbound NKN protocol connections from notebook servers, unusual processes spawned from Marimo’s working directory, and process trees that reveal shell activity following WebSocket connections.

NKAbuse establishes persistent access and can receive follow-on commands for further data exfiltration, lateral movement, or payload deployment.

Why AI/ML Infrastructure Is High-Value

Marimo is used across data science teams, AI/ML development pipelines, and research environments. These hosts often run with:

• Cloud credential access — notebook servers in cloud environments frequently have IAM role credentials mounted via instance metadata, granting cloud-wide access
• High-privilege service accounts — notebooks running automated ML pipelines may have broad internal API access
• Unrestricted outbound connectivity — data science infrastructure is commonly excluded from network segmentation applied to production systems, facilitating easy exfiltration
• Limited security monitoring — ML infrastructure is often a security monitoring blind spot, with EDR agents not deployed and SIEM coverage inconsistent

An attacker who exploits CVE-2026-39987 in a cloud-connected Marimo environment may pivot from the notebook server to the cloud control plane in minutes.

Recommended Actions

• Upgrade immediately: Install Marimo 0.23.0 or later. This is the only complete remediation; no workaround substitutes for patching the authentication gap.
• Network-restrict Marimo servers: If immediate upgrade is not possible, restrict access to the Marimo process port to localhost or a specific trusted internal IP range using a firewall rule or network policy.
• Hunt for NKAbuse indicators: Search for unexpected outbound connections to NKN infrastructure, unexpected Go binaries or processes in Marimo working directories, and WebSocket connections to /terminal/ws from non-authorised source IPs in web server logs.
• Audit cloud credential scope: Review what cloud credentials are accessible from hosts running Marimo. Scope IAM roles to the minimum required; rotate any credentials potentially exposed on compromised hosts.
• Review ML infrastructure security monitoring: Confirm that EDR agents are deployed on notebook servers and that their logs are ingested into your SIEM with appropriate alerting rules.

Broader Context

CVE-2026-39987 follows the pattern of CVE-2026-5752 (Cohere Terrarium) and the Google Antigravity vulnerabilities disclosed this week — AI development and execution tooling is consistently the target of high-severity attacks in 2026. The common thread is that tools built for developer productivity in trusted environments have weak security boundaries when exposed beyond their assumed trust context. Marimo notebook servers deployed on shared infrastructure or accessible beyond the developer’s local machine should be treated as network-exposed services requiring the same hardening as any other internet-accessible application.