← CIO Briefings · Critical Impact ACTION REQUIRED

AI Development Infrastructure Under Active Attack — Marimo RCE Exploited at Scale Across Data Science Environments

A critical pre-authentication RCE vulnerability in the Marimo Python notebook (CVE-2026-39987, CVSS 9.3) has been weaponised at mass scale, with 662 exploitation events recorded in three days, credential theft completing within minutes of compromise, and NKAbuse malware being deployed for persistent access. Organisations running Marimo in data science, AI/ML, or research environments must patch immediately and hunt for indicators of prior compromise.

3 min read

What Happened

A critical unauthenticated remote code execution vulnerability in Marimo — an open-source Python notebook widely used in data science, machine learning, and AI development workflows — has been under mass exploitation since April 11, 2026. Sysdig’s security research team recorded 662 exploitation events in the 72 hours following public vulnerability disclosure, with attackers completing credential theft from compromised systems in under three minutes.

The flaw (CVE-2026-39987, CVSS 9.3) requires no credentials and no user interaction. An attacker who can reach the Marimo server over a network issues a single request and receives full interactive shell access at the privilege level of the server process. Organisations using Marimo in cloud environments — where notebook servers often run with cloud IAM credentials attached — face the additional risk of the attack pivoting from the notebook server to cloud infrastructure.

The primary malware payload observed in exploitation sessions is NKAbuse, a persistent backdoor that uses the decentralised NKN peer-to-peer network for command and control. Because NKAbuse routes traffic through a blockchain-based P2P network rather than attacker-controlled domains, conventional domain-blocking measures do not prevent its C2 communications.

Business Impact

Organisations running Marimo in data science or AI development teams face several categories of immediate risk:

  • Cloud credential exposure: Notebook servers in AWS, Azure, and GCP environments frequently have IAM role credentials accessible via instance metadata. An attacker who gains shell access can extract and exfiltrate cloud credentials within minutes, enabling access to storage, databases, and cloud infrastructure beyond the compromised host.
  • Intellectual property and model theft: Data science environments contain proprietary models, training data, and research outputs. The three-minute credential theft window documented by Sysdig indicates attackers are operating efficiently to maximise value extraction before detection.
  • Persistent access via NKAbuse: Compromised hosts with NKAbuse installed retain backdoor access even after patching the Marimo vulnerability. Patch deployment alone does not remediate a compromise that has already occurred.
  • Lateral movement risk: Data science infrastructure is commonly connected to internal data lakes, feature stores, and production model serving infrastructure. A compromised notebook server provides a foothold for wider network access.

Board-Ready Summary

A critical vulnerability in a Python development tool widely used by data science and AI teams is being exploited by attackers at scale. An attacker who can reach one of these servers — even over an internal network — gets full control of the server and everything it can access, including cloud credentials and internal data systems.

If your organisation uses this tool, your security team must apply an emergency patch today and investigate whether any servers were compromised before the patch was applied.

Immediate — within 24 hours:

  1. Identify all Marimo deployments in your environment: development servers, shared data science platforms, cloud notebook instances, and CI/CD pipeline components
  2. Upgrade all Marimo installations to version 0.23.0 or later immediately
  3. If immediate upgrade is not possible, block external and internal network access to Marimo server ports (default: 2718) for all hosts not requiring it, at the network or host firewall level

Within 48 hours: 4. Hunt for NKAbuse indicators on hosts running Marimo: unexpected outbound connections using NKN protocol, unfamiliar processes in Marimo working directories, and WebSocket connections to /terminal/ws from unauthorised sources in web access logs 5. Rotate cloud credentials accessible from any Marimo-hosting environment — treat all such credentials as potentially compromised until confirmed clean

Ongoing: 6. Review security monitoring coverage for AI/ML infrastructure: confirm EDR agents are deployed and logging is ingested into your SIEM for data science servers, which are commonly excluded from standard endpoint security programmes