CVE-2026-39987: Hackers Exploit Marimo AI Notebook to Deploy Blockchain Backdoor via Hugging Face

On April 8, 2026, a critical unauthenticated remote code execution vulnerability in Marimo — a popular reactive Python notebook used by AI and data engineering teams — was publicly disclosed. Within ten hours, attackers were already exploiting it in the wild. The payload they delivered was not ordinary malware: it was NKAbuse, a Go-based backdoor that routes all its command-and-control traffic over the NKN blockchain, making detection and takedown considerably harder than with conventional C2 infrastructure.

What Is CVE-2026-39987 and Why Does It Score 9.3?

Marimo is an open-source reactive notebook for Python, increasingly adopted by AI/ML teams at banks, fintechs, and research units that want a more dynamic alternative to Jupyter. The vulnerability resides in Marimo's terminal WebSocket endpoint, which — in versions up to and including 0.20.4 — performs no authentication before granting a fully interactive shell to the connecting client. Any unauthenticated attacker who can reach a running Marimo instance on the network can immediately execute arbitrary system commands as the process owner. NIST assigned CVSS 9.3 (Critical), and the Sysdig Threat Research Team confirmed exploitation beginning less than ten hours after the advisory dropped. Between April 11 and April 14, Sysdig recorded 662 distinct exploit events originating from 11 unique source IP addresses spread across 10 countries — a clear indication of coordinated, automated scanning rather than opportunistic probing.

The NKAbuse Backdoor: Blockchain as Command-and-Control

The attack chain begins with a shell-script dropper served from a typosquatted Hugging Face Space named vsccode-modetx, designed to impersonate a legitimate VS Code tooling repository. Once executed, the dropper fetches a compiled Go binary named kagent — the NKAbuse implant. NKAbuse is not new malware, but this variant represents a significant evolution: its C2 channel runs exclusively over the NKN (New Kind of Network) decentralized peer-to-peer blockchain protocol, meaning there are no centralized C2 servers to sinkhole or block at the firewall. The implant establishes persistence silently through systemd user services on Linux, crontab entries, or macOS LaunchAgents on macOS endpoints, and begins beaconing to its blockchain-based overlay network immediately after installation. Once foothold is established, attackers pivot rapidly: environment variables are harvested for AWS access keys, database connection strings (PostgreSQL, Redis), and OpenAI API tokens. Connected database instances have been observed being accessed within minutes of initial compromise.

Why This Matters for Saudi Financial Institutions

The Saudi financial sector is in an active phase of AI adoption. SAMA's Open Banking Framework and the broader Vision 2030 digitization agenda have accelerated deployment of AI/ML tooling inside banks, insurance companies, and payment processors — often in internal data science environments that sit adjacent to production systems and sensitive customer data. Marimo and similar notebooks are frequently run on developer workstations or internal servers with broad network reachability and privileged database credentials baked into environment variables. A successful exploit of CVE-2026-39987 in such an environment could expose customer PII (triggering PDPL notification obligations within 72 hours), internal financial records, and cloud infrastructure credentials. Under SAMA CSCC Domain 3 (Cybersecurity Operations), institutions are required to patch actively exploited vulnerabilities within defined SLAs — a timeline this attack vector almost certainly violates for organizations that have not yet audited AI tooling in their environments. NCA ECC controls 2-5-1 through 2-5-4 on vulnerability management similarly require timely remediation of disclosed flaws affecting systems that process or have access to sensitive data.

How Attackers Are Abusing Hugging Face as a Delivery Vehicle

The use of Hugging Face Spaces as malware hosting infrastructure deserves special attention. Hugging Face is a trusted, widely allowlisted platform in most corporate threat-intelligence and web-filtering configurations — meaning the dropper request often bypasses URL reputation controls that would flag a random domain. The typosquatted Space name (vsccode-modetx mimicking VS Code) is designed to pass casual visual inspection in proxy logs. This tactic is not unique to this campaign: threat actors have progressively shifted toward abusing legitimate, high-reputation developer platforms — GitHub, PyPI, npm, and now Hugging Face — for payload hosting precisely because institutional defenses are weakest against trusted sources. Security teams at Saudi financial institutions should treat all outbound connections to model-hosting and AI tooling platforms with the same scrutiny applied to generic file-hosting services.

Recommended Actions for Security Teams

1. Inventory AI/ML tooling immediately. Identify every instance of Marimo, Jupyter, or similar notebooks running inside your environment. Treat any instance reachable from a network segment broader than the individual developer's machine as a critical exposure.
2. Upgrade Marimo to version 0.23.0 or later. This is the fixed release that closes the unauthenticated WebSocket terminal endpoint. If upgrading is not immediately possible, isolate Marimo instances behind authenticated reverse proxies or restrict access via host-based firewall rules.
3. Audit environment variables in AI/ML containers and VMs. Remove production credentials from any environment running notebooks. Use secret management solutions (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) and rotate any credentials that may have been present on exposed instances.
4. Block or inspect traffic to Hugging Face Spaces at the proxy layer. Apply TLS inspection to outbound connections to *.hf.space and huggingface.co and alert on unexpected downloads of binary executables.
5. Hunt for NKAbuse indicators on endpoints. Check for binaries named kagent, systemd user service files created after April 8, 2026, and NKN peer-to-peer traffic (UDP/TCP port 30001 and related ranges). YARA rules and Sysdig's published IOCs are publicly available.
6. Review SAMA CSCC patch SLA compliance. CVE-2026-39987 is CVSS 9.3 with confirmed active exploitation. Under most institutions' vulnerability management policies, this qualifies as a P1 requiring remediation or compensating controls within 24–72 hours of disclosure.
7. Report potential compromises under PDPL Article 25. If investigation reveals that personal or financial data may have been exfiltrated, the 72-hour notification window to SDAIA begins at the point of discovery, not at the point of initial exploitation.

Conclusion

CVE-2026-39987 is a textbook example of how the explosion of AI developer tooling has created a new and largely unaudited attack surface inside financial institutions. The speed of exploitation — under ten hours from disclosure to active weaponization — leaves almost no margin for slow patch cycles. The use of a blockchain-based C2 channel compounds the challenge: traditional network-based indicators are insufficient for detection, and takedown of attacker infrastructure is practically impossible. Saudi banks and financial institutions must extend their vulnerability management programs and threat-hunting capabilities to cover AI/ML toolchains with the same rigor applied to production systems.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment, including an AI/ML toolchain security review aligned with SAMA CSCC and NCA ECC requirements.