Find notable cyber news and cases, enriched with sources, timelines, and signals.

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 51
2 unique sources, 3 articles

Summary

Hide ▲

Marimo exploitation activity surged within 12 hours of disclosure, with 125 IP addresses beginning reconnaissance against CVE-2026-39987 and the /terminal/ws exposure, raising the risk of rapid follow-on compromise. The wave quickly escalated into a credential theft operation that sought shell access and .env secrets. The activity matters because the flaw enables unauthenticated remote code execution on Marimo versions 0.20.4 and earlier. It also shows how quickly newly disclosed internet-facing weaknesses can draw broad probing and hands-on abuse.

Cases

Related Happenings

Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files

Technical Analysis
H score22 First: 08.07.2026 14:21 Last: 08.07.2026 14:21 Sources 1

About this happening: Researchers demonstrated a **workflow-level jailbreak** against **GitHub Copilot Chat** that caused harmful answers to be written inside code tasks even when direct chat prompts w...

Marimo notebook and downstream SSH bastion hit by data theft breach

Incident
H score40 First: 29.05.2026 17:39 Last: 29.05.2026 17:39 Sources 1

How related: "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server," Sysdig said.

About this happening: A **Marimo** notebook compromise led to **credential theft**, **SSH access**, and exfiltration of an **internal PostgreSQL database**, expanding a single initial intrusion into de...

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
H score89 First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Timeline

  1. 12.04.2026 17:20 3 articles · 2mo ago

    Marimo discloses CVE-2026-39987

    Initial Disclosure

    Marimo publicly disclosed CVE-2026-39987, a pre-authentication remote code execution flaw in versions 0.20.4 and earlier caused by the '/terminal/ws' WebSocket endpoint exposing an interactive terminal without proper authentication checks, affecting deployments exposed in edit mode or on a shared network.

    Show sources
  2. 12.04.2026 17:20 1 articles · 2mo ago

    Marimo releases version 0.23.0 to fix CVE-2026-39987

    Mitigation Patch Update

    Marimo released version 0.23.0 to address CVE-2026-39987 and advised users to upgrade immediately; if upgrading is not possible, external access to '/terminal/ws' should be blocked or disabled and exposed secrets should be rotated.

    Show sources
  3. 12.04.2026 03:00 1 articles · 2mo ago

    Sysdig reports hands-on exploitation and credential theft

    Technical Analysis Update

    Sysdig researchers reported active exploitation that began less than 10 hours after disclosure, with 125 IP addresses starting reconnaissance within the first 12 hours. The first exploitation attempt validated remote code execution at '/terminal/ws', then continued with manual reconnaissance using pwd, whoami, and ls before targeting .env files, cloud credentials, application secrets, and SSH keys; the credential access phase finished in less than three minutes and no persistence was attempted.

    Show sources