Multiple attacks weaponizing critical Marimo RCE identified

Numerous threat actors have launched intrusions abusing the critical remote code execution flaw in the open-source Python notebook Marimo, tracked as CVE-2026-39987, to deploy illicit payloads and compromise data since the vulnerability was first discovered to be harnessed within hours of its disclosure last week, BleepingComputer reports.

Threat actors behind one of the campaigns leveraged CVE-2026-39987 to distribute a novel Hugging Face Spaces-hosted iteration of the NKAbuse malware, findings from Sysdig revealed. Initial exploitation of the flaw was followed by the execution of a curl command that downloaded and executed a dropper script from Hugging Face, which resulted in the eventual delivery of the updated NKAbuse payload, which features both remote access trojan and distributed denial-of-service capabilities.

Another attack by a German-based actor involved the use of the Marimo RCE to deploy 15 reverse-shell technique attempts, obtain database credentials, and establish a connection with PostgreSQL for data enumeration, while a Hong Kong-based attacker leveraged the bug to pilfer .env credentials for subsequent Redis server compromise.