Find notable cyber news and cases, enriched with sources, timelines, and signals.
Campaign

Marimo exploitation delivered through a typosquatted Hugging Face Space

Updated 16.04.2026 19:58
Case score 58
Case score 58 Members 1 Latest activity 16.04.2026 19:58
Members 1 First seen 16.04.2026 19:58 Last seen 16.04.2026 19:58 Updated 16.04.2026 19:58

Overview

Attackers used **Hugging Face Spaces** as delivery infrastructure after exploiting **CVE-2026-39987** in **Marimo**, placing a typosquatted Space named **vsccode-modetx** online with **install-linux.sh** and a **kagent** binary. The payload chain fetched the script with curl, installed a previously undocumented **NKAbuse** variant, and set up persistence with **systemd**, **cron**, or **macOS LaunchAgent**. Available evidence points to active exploitation and malware delivery, but not to the operator's identity or the full reach of the activity.

Signals

3 derived
Impact signals
CVEs/products
CVE
Status
Campaign status Active
Threat context
Malware

Malware context

1 families

Member happenings

1 related
Campaign Hugging Face Spaces vsccode-modetx dropper campaign
Updated 16.04.2026 19:58 Lead Contribution 58
Campaign Active

The **April 12, 2026** campaign abusing **Hugging Face Spaces** broadened malicious delivery against AI platform users and increased the risk of stealthy payload execution. An attacker used a typosquatted Space, **vsccode-modetx**, to host **install-linux.sh** and a malware binary named **kagent**. The chain used **curl** to fetch the script, install the payload, and set persistence through **systemd**, **cron**, or **LaunchAgent**. The operation matters because it leverages a legitimate-looking HTTPS service to reduce detection while delivering post-exploitation tooling.