Active Threat, Practitioner Action Required
If you run Marimo notebooks or pull artifacts from Hugging Face Spaces in enterprise environments, check your allowlist configuration now. The indicator of compromise is a Hugging Face Space named “vsccode-modetx”, a typosquat of “vscode-modext.” Block or audit this space immediately.
CVE-2026-39987 is a remote code execution vulnerability in the Marimo Python notebook platform. The flaw is being actively exploited. According to Sysdig threat intelligence, more than 660 exploit events were recorded across 10 countries within 72 hours of initial detection on April 17. The campaign is ongoing through the current reporting period.
The attack chain has three stages. First, the attacker delivers the payload through a typosquatted Hugging Face Space, “vsccode-modetx”, which mimics a legitimate developer tool closely enough to pass surface-level inspection. Second, the RCE vulnerability in Marimo executes the payload without requiring user interaction beyond opening an affected notebook. Third, the deployed malware, identified as “kagent”, impersonates legitimate Kubernetes AI agent processes, masking its presence in container environments by mimicking traffic and process signatures that enterprise security tools are configured to trust.
Why Hugging Face Is the Attack Surface That Matters Here
The technical vulnerability is in Marimo. The strategic choice is Hugging Face. Attackers are exploiting the trusted reputation that Hugging Face’s model and artifact repository has built with enterprise AI development teams. Most security stack configurations treat Hugging Face Hub as a trusted source, because, broadly, it is. That trust is the attack vector. By registering a typosquatted Space with a name designed to pass casual inspection, attackers get their payload into environments that have already decided Hugging Face is safe.
This is not the first supply chain attack pattern to exploit a trusted developer platform’s reputation. It’s a well-established approach in software supply chain attacks. What’s new is the target ecosystem: AI development toolchains (notebook platforms, model repositories, agent frameworks) have accrued enterprise trust rapidly, in many cases faster than security teams have had time to build coverage for them. The result is exactly the gap this campaign exploits.
Connection to Known Exploited Vulnerabilities
Verify whether CVE-2026-39987 appears in NIST’s Known Exploited Vulnerabilities catalog. If added to KEV, federal agencies face BOD 22-01 remediation deadlines, and the hub’s NIST NVD/KEV scope shift brief covers how that prioritization framework applies in practice. The policy context matters: the CVE designation means this vulnerability has a formal tracking record, and KEV status escalates remediation priority across both federal and regulated private sector environments.
What to Watch
Hugging Face’s official security advisory response, whether they remove or flag the typosquatted Space, update trust verification, or publish mitigation guidance. Marimo’s patch release timeline. And whether the campaign expands beyond the initial 10 countries or adds secondary payloads beyond kagent. The connection between AI development toolchain vulnerabilities and the agentic security architecture debate is direct: teams deploying Mythos-class or other advanced agentic systems on AI infrastructure that lacks supply chain security coverage face compounding risk.
See the Mythos dual-use brief for the parallel story: AI systems as both attacker tools and attack targets is not a hypothetical threat model anymore.