Open-source developer tooling keeps moving deeper into the crosshairs, and the gap between disclosure and weaponization is now measured in hours rather than weeks. On April 10, The Hacker News reported that a pre-authentication remote code execution flaw in Marimo, a Python notebook platform popular with data-science and machine-learning teams, was exploited nine hours and forty-one minutes after its public advisory shipped.
The flaw, in one line
CVE-2026-39987 carries a CVSS score of 9.3 and affects every Marimo release prior to 0.23.0. The failure is narrow but severe. The terminal WebSocket endpoint at /terminal/ws performs no authentication check, so any attacker who can reach the Marimo server can open a full PTY shell as the user running the notebook — no credentials, no token, no session. On a laptop, a shared dev VM, or any internal service that inadvertently binds to a reachable interface, that is unauthenticated code execution on whatever account the process runs as.
Marimo shipped a fix in 0.23.0, but the exploit window closed faster than most patch cycles can move. Sysdig researchers documented 662 exploit events between April 11 and April 14, originating from eleven unique IP addresses across ten countries — meaning multiple operator groups were running the exploit inside a day of the advisory.
What the early campaigns are doing
Per Sysdig’s telemetry, the initial wave focused on credentials. Attackers pulled environment variables out of .env files and scraped SSH keys within minutes of landing a shell — the standard pre-loot pattern, not ransomware. A second campaign then deployed the NKAbuse malware family, notable for routing its distribution through Hugging Face Spaces. That detail deserves attention on its own: adversaries are increasingly using legitimate AI and ML platforms as payload infrastructure, and most outbound-traffic monitoring does not yet flag Hugging Face or other model-hosting domains as suspect.
The target profile reinforces the point. Marimo is not an enterprise crown-jewel system; it is a Jupyter-style tool that developers and data scientists run on their own machines. Attackers do not care about the tier. An unauthenticated RCE against a tool running on thousands of engineering laptops is worth weaponizing regardless of where it sits in the criticality hierarchy.
What this means
For practitioners, the Marimo incident sharpens three postures.
First, developer-tooling inventory is a security problem. If the security team cannot enumerate the IDE servers, notebook daemons, language servers, and agent processes running inside the environment, the attack surface is invisible by definition. A flaw in any of them lands on gear nobody owned until it went loud.
Second, any internal-facing endpoint must assume network exposure. A WebSocket bound to localhost is one misconfigured reverse proxy, split-tunnel VPN, or tailscale share away from the internet — and Marimo is a textbook example of “we assumed this would never be reachable.” Authenticating internal-only endpoints is no longer optional.
Third, ten hours is the new benchmark. Patch cadences that measure in weeks — common for dev tooling because it is not classified as production — are out of sync with how fast threat actors now operationalize a CVE. Detection engineers tracking egress to Hugging Face, GitHub Codespaces, Replit, and similar hosted-ML destinations should treat that traffic as part of the modern malware-distribution pipeline, not safe-listed developer activity.
