CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace

Sysdig Threat Research observed active exploitation of marimo CVE-2026-39987 within days of disclosure, with multiple operators performing credential harvesting, reverse shells, DNS-based OOB confirmation, and lateral movement to PostgreSQL and Redis; one operator deployed a UPX-packed NKAbuse Go backdoor (kagent) hosted on a typosquatted HuggingFace Space, and the report provides malware hashes, IOCs, detection rules, and remediation recommendations.