A critical pre-authentication remote code execution flaw in the Marimo open-source Python notebook platform was exploited in the wild less than 10 hours after disclosure, giving attackers an unauthenticated path to a full PTY shell through the /terminal/ws WebSocket endpoint. The vulnerability, tracked as GHSA-2679-6mx9-h9xc and later assigned CVE-2026-39987, affects Marimo versions 0.20.4 and earlier and carries a CVSS 9.3 severity rating. Marimo addressed the issue in version 0.23.0.
Sysdig said it observed the first exploitation attempt against a honeypot 9 hours and 41 minutes after the advisory was published, despite the absence of a public proof-of-concept at the time. The attacker reportedly validated the flaw, obtained interactive shell access, searched the filesystem for .env files and SSH keys, and accessed fake AWS credentials planted on the system; Sysdig also recorded 125 additional unique IP addresses conducting reconnaissance in the first 12 hours. Researchers said the activity appeared to involve a human operator and warned defenders to patch immediately, restrict exposure to /terminal/ws, rotate potentially exposed secrets, and monitor for suspicious WebSocket connections.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Between 2026-04-11 and 2026-04-14, Sysdig documented 662 exploit events in which attackers used CVE-2026-39987 to harvest credentials, attempt reverse shells, and move laterally into PostgreSQL and Redis. The most significant activity involved deployment of a previously undocumented NKAbuse malware variant hosted on a typosquatted HuggingFace Space and disguised as a Kubernetes tool named kagent.
During the first 12 hours after disclosure, Sysdig recorded one source IP performing actual exploitation and 125 additional unique IPs conducting reconnaissance. The activity showed rapid attacker interest in internet-facing Marimo instances immediately after the advisory became public.
After exploiting the flaw, the threat actor obtained an interactive shell, explored the filesystem, read a .env file containing fake AWS credentials and secrets, and searched for SSH keys. Sysdig described the activity as methodical and partly manual, with the operator returning later to recheck the target.
Sysdig observed the first exploitation attempt against a honeypot Marimo instance 9 hours and 41 minutes after disclosure on 2026-04-08. The attacker used advisory details to build an exploit despite there being no public proof-of-concept at the time.
Marimo addressed the vulnerability by releasing version 0.23.0. The update fixed the authentication bypass in the /terminal/ws endpoint that allowed attackers to obtain a shell and execute arbitrary commands.
On 2026-04-08, a critical remote code execution flaw affecting Marimo versions 0.20.4 and earlier was publicly disclosed. The issue involved the unauthenticated /terminal/ws WebSocket endpoint and was later tracked as GHSA-2679-6mx9-h9xc and CVE-2026-39987.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
14 references tracked. Mallory keeps watching after this page renders.
resecurity.com
Open sourcebleepingcomputer.com
Open sourcesysdig.com
Open sourcewebflow.sysdig.com
Open sourcethehackernews.com
Open sourcesysdig.com
Open sourcewebflow.sysdig.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.