Marimo OSS Python Notebook RCE: From Disclosure to Exploitation in Under 10 Hours

**Executive summary:** A critical pre-auth RCE in marimo's /terminal/ws WebSocket endpoint (GHSA-2679-6mx9-h9xc, CVSS 9.3) was disclosed and weaponized within 9 hours 41 minutes; Sysdig TRT honeypots recorded an attacker (49.207.56.74) obtaining an interactive shell and exfiltrating .env credentials in under three minutes, demonstrating rapid exploitation of niche-project advisories and high risk of cloud credential compromise—patch to marimo 0.23.0, restrict/disable the terminal endpoint, rotate exposed secrets, and monitor WebSocket traffic.