Hugging Face Spaces vsccode-modetx dropper campaign
Campaign
Summary
Hide ▲
Show ▼
The April 12, 2026 campaign abusing Hugging Face Spaces broadened malicious delivery against AI platform users and increased the risk of stealthy payload execution. An attacker used a typosquatted Space, vsccode-modetx, to host install-linux.sh and a malware binary named kagent. The chain used curl to fetch the script, install the payload, and set persistence through systemd, cron, or LaunchAgent. The operation matters because it leverages a legitimate-looking HTTPS service to reduce detection while delivering post-exploitation tooling.
Cases
Related Happenings
Daemon Tools Lite trojanized installer campaign
Campaign
First: 07.05.2026 12:30
Last: 07.05.2026 12:30
Sources 1
About this happening:
A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
Daemon Tools Lite trojanized installer campaign
CampaignAbout this happening: A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
DAEMON Tools Lite trojanized installer wave
Exploitation Wave
First: 06.05.2026 19:43
Last: 06.05.2026 19:43
Sources 1
About this happening:
Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
DAEMON Tools Lite trojanized installer wave
Exploitation WaveAbout this happening: Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
QUIC RAT delivered through compromised DAEMON Tools installers
Malware Activity
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
About this happening:
A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
QUIC RAT delivered through compromised DAEMON Tools installers
Malware ActivityAbout this happening: A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
Latest development: 07.05.2026 12:30
Disc Soft released malware-free Daemon Tools Lite Version 12.6 on May 5 after being notified of the supply chain attack on its build environment, and the affected 12.5.1 build was removed from distribution so users could move to the cleaned release.
ClickFix DNS-based nslookup staging campaign
Campaign
First: 15.02.2026 16:10
Last: 15.02.2026 16:10
Sources 1
About this happening:
The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
ClickFix DNS-based nslookup staging campaign
CampaignAbout this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
16.04.2026 19:58 2 articles · 1mo ago
April 12 Hugging Face Space vsccode-modetx hosts NKAbuse dropper
Campaign Scope UpdateAn attacker created a Hugging Face Space named vsccode-modetx, a typosquat for VS Code, and used it to host install-linux.sh and a malware binary named kagent; after exploitation of Marimo, the payload was fetched with curl and installed with persistence through systemd, cron, or macOS LaunchAgent.
Show sources
- Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face — www.bleepingcomputer.com — 16.04.2026 19:58
- Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face — www.bleepingcomputer.com — 16.04.2026 19:58
-
16.04.2026 19:58 1 articles · 1mo ago
Sysdig discloses Marimo CVE-2026-39987 exploitation and NKAbuse delivery
Initial DisclosureSysdig reports active exploitation of CVE-2026-39987 in Marimo reactive Python notebook, with attackers using Hugging Face Spaces to deliver a new NKAbuse variant that can execute shell commands and return output to the operator; the report recommends upgrading to version 0.23.0 or later or blocking external access to /terminal/ws.
Show sources
- Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face — www.bleepingcomputer.com — 16.04.2026 19:58