惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
S
Securelist
P
Privacy & Cybersecurity Law Blog
Scott Helme
Scott Helme
T
Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
量子位
博客园 - Franky
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
T
Troy Hunt's Blog
N
News | PayPal Newsroom
Google Online Security Blog
Google Online Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
小众软件
小众软件
P
Palo Alto Networks Blog
Spread Privacy
Spread Privacy
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Check Point Blog
aimingoo的专栏
aimingoo的专栏
WordPress大学
WordPress大学
L
Lohrmann on Cybersecurity
L
LINUX DO - 最新话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Microsoft Security Blog
Microsoft Security Blog
T
Tailwind CSS Blog
博客园_首页
云风的 BLOG
云风的 BLOG
V
Vulnerabilities – Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
罗磊的独立博客
Engineering at Meta
Engineering at Meta
Forbes - Security
Forbes - Security
T
Tenable Blog

Sysdig Blog

Masterclass: AI is more than ChatGPT and LLMs CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace Kubernetes 1.36 - New security features 5 steps to securing AI workloads Security briefing: March 2026 The Sysdig MCP server is now available in AWS Marketplace Risk isn’t reduced until you take action: How teams resolve issues in the cloud AI infrastructure security: Why it deserves its own category Three pillars for building effective runtime-powered cloud defense, the right way Closing the cloud security gap with runtime security Seeing risk isn’t stopping it: Why visibility alone isn’t enough TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions AI coding agents are running on your machines — Do you know what they're doing? Runtime security for AI coding agents: Protecting AI-assisted development How runtime insights power every cloud security use case CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours Inline Cloud Response: Accelerating AWS threat containment for SOC teams Runtime malware detection for AWS Fargate Detecting CVE-2026-3288 & CVE-2026-24512: Ingress-nginx configuration injection vulnerabilities for Kubernetes Malware detection with Sysdig Security briefing: February 2026 Leveling up Kubernetes Posture: From baselines to risk-aware admission Eliminating runtime blind spots: How CleanStart and Sysdig build continuous trust across the container lifecycle LLMjacking: From Emerging Threat to Black Market Reality Real risks live at runtime: Why CISOs must care about deep telemetry in 2026 Sysdig named a Leader in the Forrester Wave™: Cloud Native Application Protection Solutions, Q1 2026 How to run rootless containers AI-assisted cloud intrusion achieves admin access in 8 minutes Security briefing: January 2026 Securing GPU-accelerated AI workloads in Oracle Kubernetes Engine Bringing OSS runtime security to AWS: Falco integration with AWS Security Hub CSPM Our customers have spoken: Sysdig rated a Strong Performer in Gartner® Voice of the Customer for Cloud-Native Application Protection Platforms Protecting sensitive business data in preparation for the organization's Gen AI VoidLink threat analysis: Sysdig discovers C2-compiled kernel rootkits AI is still a workload: A practical guide to securing AI workloads How threat actors are using self-hosted GitHub Actions runners as backdoors How Sysdig Sage delivers AI-powered, real-world vulnerability management Security briefing: December 2025 Top 10 ways to get breached in 2026 EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2 Introducing runtime file integrity monitoring and response with Sysdig FIM How to detect multi-stage attacks with runtime behavioral analytics EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks Detecting React2Shell: The maximum-severity RCE vulnerability affecting React Server Components and Next.js The rise of AI agents: How autonomous AI Is transforming cloud security Kubernetes 1.35 - New security features The Urgency of Securing AI Workloads for CISOs Security briefing: November 2025 Quantum and the cloud: Science fiction turned security strategy Cloud security, the right way: What the industry should demand (and why "good enough" isn't) Return of the Shai-Hulud worm affects over 25,000 GitHub repositories Detecting CVE-2024-1086: The decade-old Linux kernel vulnerability that’s being actively exploited in ransomware campaigns What’s old is new again: How to demystify AI security with AIBOMs Securing Kubernetes with agentic cloud security How agentic cloud security reduces real risks Hunting reverse shells: How the Sysdig Threat Research Team builds smarter detection rules Shifting left with AI and MCP: Sysdig + Amazon Q Developer How Falco and Stratoshark close the gap between open source runtime detection and deep forensic analysis Investigating security issues with ChatGPT and the GitHub MCP server New runc vulnerabilities allow container escape: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 Harden your LLM security with OWASP Security briefing: October 2025 How agentic AI is changing cloud security Kubernetes Incident Response: Detect, investigate, and contain in under 10 minutes Sysdig recognized as a Cloud Security Leader in Latio Tech Cloud Security Market Report AI echolocation of cloud risks using Sysdig & Snyk MCP servers Sysdig MCP Server: Bridging AI and cloud security insights Understanding CVE-2025-49844: “RediShell” Critical Remote Code Execution in Redis How Sysdig secures your containers and Kubernetes Sysdig Security Briefing: September 2025 Cloud security, the right way: The 3 pillars of real-time defense Open source spotlight: Bringing web application security to Falco with Falcoya's Nginx plugin Malicious NPM packages: Are you exposed? AI for SOC teams: 5 cloud security prompts to start your day with Sysdig Sage™ Shai-Hulud: The novel self-replicating worm infecting hundreds of NPM packages ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT Modern vulnerability management, built for the cloud Build your AWS incident response playbook with open source tools 2025 Gartner® CNAPP Market Guide: Runtime visibility is no longer optional Threat hunting with Sysdig: Uncovering “IngressNightmare” Open source spotlight: From alerts to action with AI-powered Falco Vanguard From triage to action: How Sysdig’s agentic cloud security platform slashes noise and accelerates remediation The vision comes to life: Agentic cloud security with Sysdig Sage™ Data security findings: A technical deep dive Connecting runtime to source: Sysdig and Semgrep integration Fix what matters, faster: How Sysdig and Semgrep are unifying security without silos – from code to runtime Defending sensitive data with Sysdig Secure Redefining cloud security, the right way Join the movement: The Sysdig Open Source Community is live A smarter, safer cloud in the age of AI Unifying detection and response: Sysdig + Cortex XSOAR for security at cloud speed The future of security is open, and it needs a unified hub: The Sysdig Open Source Community is here CVE-2025-53104: Command injection via GitHub Actions workflow in gluestack-ui Why MCP server security is critical for AI-driven enterprises What’s new in Sysdig — June 2025 AI-powered CNAPP with Sysdig Sage™ Revolutionizing Cybersecurity Search with Sysdig Sage™ Sysdig Threat Bulletin: Iranian Cyber Threats The end of the prioritization-only era: Vulnerability management needs action Dangerous by default: Insecure GitHub Actions found in MITRE, Splunk, and other open source repositories
Marimo OSS Python Notebook RCE: From Disclosure to Exploitation in Under 10 Hours
Sysdig Threat Research Team · 2026-04-09 · via Sysdig Blog

On April 8, 2026, a critical vulnerability was disclosed in marimo, an open-source reactive Python notebook platform. Tracked as CVE-2026-39987, it is a pre-authentication remote code execution (RCE) vulnerability in the terminal WebSocket endpoint that allows attackers to obtain a full interactive shell on any exposed marimo instance through a single WebSocket connection – no credentials required.

Within 9 hours and 41 minutes of the vulnerability advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempt in the wild, and a complete credential theft operation was executed in under 3 minutes. No public proof-of-concept (PoC) code existed at the time. The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment. This also recently happened with a Langflow flaw (CVE-2026-33017), where, with no public exploit, the vulnerability was exploited within 20 hours. This marimo vulnerability exploitation cuts that time in less than half.

What makes this case particularly notable is the target: Marimo is not a household name in enterprise software. With approximately 20,000 GitHub stars, it is a fraction of the size of platforms like Langflow (145,000+ stars) or n8n (75,000+ stars) that have historically attracted mass scanning campaigns. The speed of exploitation seen by the Sysdig TRT suggests that threat actors are monitoring advisory feeds broadly, not just for high-profile targets, and are capable of weaponizing vulnerabilities in niche software within hours of disclosure. It also implies that threat actors are using AI to analyze vulnerability advisory descriptions, build working exploits, and accelerate their operations.

Within hours of the advisory’s publication, the Sysdig TRT deployed honeypot nodes running vulnerable marimo instances across multiple cloud providers. The activity TRT captured, detailed below, provides a clear picture of how a single attacker moved from initial access to credential theft in a matter of minutes.

Timeline

Time (UTC)

Event

Apr 8, 21:50

Advisory GHSA-2679-6mx9-h9xc published on GitHub

Apr 9, 07:31

First exploitation attempt observed (from 49.207.56.74)

Apr 9, 07:44

Attacker exfiltrates .env file containing credentials

Apr 9, 08:57

Attacker returns for a second exploitation session

The gap between advisory publication and first exploitation was 9 hours and 41 minutes. No public PoC code existed on GitHub or any major exploit repository at the time of the initial attack. The advisory itself contained enough detail for an attacker to construct a working exploit: the vulnerable endpoint path (/terminal/ws) and the fact that it lacked authentication, unlike the other WebSocket endpoints in the application.

About the vulnerability

Marimo is an open-source reactive Python notebook designed as a modern alternative to Jupyter. It stores notebooks as pure Python files, supports reactive execution, and can be deployed as interactive web applications. While smaller than mainstream notebook platforms, marimo has an active community and is used in data science and research workflows.

CVE-2026-39987 (CVSS v4.0: 9.3, Critical) affects the /terminal/ws WebSocket endpoint in marimo versions 0.20.4 and earlier. The vulnerability is straightforward. This endpoint provides an interactive PTY (pseudo-terminal) shell but completely lacks authentication validation. Other WebSocket endpoints in the application, such as /ws, correctly call validate_auth() before accepting connections. The terminal endpoint skips this check entirely, accepting connections from any unauthenticated user and granting a full interactive shell running with the privileges of the marimo process.

The fix was released in version 0.23.0 via PR #9098: https://github.com/marimo-team/marimo/pull/9098.

Several characteristics made this vulnerability attractive despite marimo's relatively small user base:

  • No authentication required. The exploit is a single WebSocket connection. No credentials, no tokens, no session management.
  • Interactive shell access. Unlike many RCE vulnerabilities that require crafting payloads for each command, this provides a persistent interactive terminal. The attacker can type commands and see output in real time, just like SSH.
  • Trivial exploitation. The advisory describes exactly which endpoint is affected and why. Any attacker who can open a WebSocket connection to /terminal/ws has a shell. There is no payload to craft, no injection to format, no encoding to get right. The attacker can walk right in.
  • High-value environment. Notebook platforms are configured with database connections, API keys, cloud credentials, and access to datasets. Compromising one instance can provide lateral access to connected infrastructure.

What we observed

Over the first 12 hours following advisory publication, we recorded exploit activity from one source IP targeting our honeypot fleet. An additional 125 unique IPs conducted reconnaissance (port scanning, HTTP probing), but only one progressed to actual exploitation of the WebSocket terminal vulnerability.

Session 1: PoC validation (07:31 UTC)

The attacker connected to the /terminal/ws WebSocket endpoint on the honeypot GCP node in europe-west1-b and immediately ran a scripted validation sequence:

echo '---POC-START---'
id
echo '---POC-END---'

The marker strings (---POC-START--- and ---POC-END---) and the use of id as the test command indicate this is a structured PoC script, not manual typing. The attacker is confirming code execution before investing time in manual exploration. The session lasted 9 seconds before the attacker disconnected.

Session 2: Manual reconnaissance (07:33 UTC)

Two minutes later, the attacker reconnected and began manual exploration:

pwd         → /app/marimo
whoami      → marimo
ls          → marimo  logs  data  .env  docker-compose.yml  celerybeat-schedule

The attacker attempted to navigate the filesystem using cd ../, cd logs, and cd ~/.ssh, and ran ls after each attempt to check their position. They also tried ipaddr (likely meaning ip addr) to enumerate network interfaces. These reconnaissance processes appeared to be manual, not AI-driven, based on the timeline and steps taken.

Session 3: Credential theft (07:43 UTC)

After a 6-minute pause, the attacker reconnected for a focused credential harvesting session. They immediately listed the directory and then targeted the .env file:

ls          → marimo  logs  data  .env  docker-compose.yml  celerybeat-schedule
cat .env    → HOME=/app/marimo
               PATH=/usr/local/bin:/usr/bin:/bin
               HOSTNAME=prod-app-e29e
               AWS_DEFAULT_REGION=us-east-1
               AWS_ACCESS_KEY_ID=AKIA01FB...

The honeypot returned realistic fake credentials in the .env response, including AWS access keys and application secrets. In a real deployment, this is exactly the data an attacker would need to pivot from the compromised notebook instance to cloud accounts, databases, and third-party APIs.

The attacker then methodically attempted to read every file in the directory:

cat data
cat docker-compose.yml
cat celerybeat-schedule
cat marimo
cat logs

They also searched for SSH keys:

ls ~
ls ~/
ls ~/.ssh
cd ~/ssh
cd ~/.ssh

The session ended with the attacker running exit at 07:45 UTC. This is a complete credential theft operation executed in under 3 minutes.

Session 4: Return visit (08:57 UTC)

Over an hour later, the attacker returned and re-ran their PoC validation script (echo markers + id), then reconnected and re-read the .env file. They also ran history, likely checking whether other attackers had been active on the same instance. The session ended at 09:04 UTC.

Attacker profile

The exploitation patterns reveal a methodical operator, not an automated scanner:

  • Scripted PoC first: The marker-delimited validation step suggests a workflow where the attacker runs a script to confirm the vulnerability, then switches to manual interaction.
  • Focused objectives: The attacker went directly for .env credentials and SSH keys. They did not attempt to install persistence, deploy cryptominers, or download additional tools.
  • Multiple sessions: The attacker connected four times over 90 minutes, with pauses between sessions. This is consistent with a human operator working through a list of targets, returning to confirm findings.

What this means for defenders

The 9-hour-41-minute window between advisory publication and first exploitation continues a trend that has been accelerating over the past several years. The Zero Day Clock project, which tracks data across 83,000+ CVEs, shows the median time-to-exploit has collapsed from 771 days in 2018 to just hours in recent years. By 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure. The Sysdig TRT’s observation of CVE-2026-39987 fits squarely in this trend.

What distinguishes this case is the target. Marimo is not Langflow, not Jenkins, and not GitLab. It has 20,000 GitHub stars, not 145,000. It does not currently appear in CISA's Known Exploited Vulnerabilities (KEV) catalog. It is not a common target for mass scanning campaigns. Yet, within 10 hours of a critical advisory being published, an attacker built a working exploit and was actively harvesting credentials from exposed instances much faster than vulnerable organizations could manually patch.

This has implications for how organizations assess their exposure:

  • Niche or less popular software is not safer software. The assumption that attackers only target widely deployed platforms is wrong. Any internet-facing application with a critical advisory is a target, regardless of its popularity.
  • Advisory detail enables exploitation. GHSA-2679-6mx9-h9xc required no reverse engineering to exploit. The advisory named the endpoint, described the missing authentication check, and identified the affected versions. This level of detail, while essential for defenders, is equally useful to attackers.
  • No CVE ≠ no exploitation. At the time of this writing, no CVE number has been assigned to this vulnerability, but exploitation is already happening. Organizations that rely on CVE-based scanning or alerting would not have flagged this advisory at all.
  • Interactive shells change the calculus. Most automated RCE exploitation involves a single command per request. A WebSocket terminal provides persistent, interactive access. This makes post-exploitation faster and more thorough because the attacker does not need to craft a new payload for each command.

Indicators of compromise

Source IPs

IP

Location

Activity

49.207.56.74

Activity IN (India)

WebSocket terminal exploitation, credential theft

Note: The source IP may be a proxy or VPN endpoint rather than the operator's true origin.

Recommendations

  • Update marimo to version 0.23.0 or later immediately. If upgrading is not possible, restrict network access to the /terminal/ws endpoint or disable the terminal feature entirely.
  • Audit environment variables, .env files, and secrets on any marimo instance that has been publicly accessible. Rotate AWS credentials, API keys, database passwords, and SSH keys as a precaution.
  • Restrict network access to marimo instances using firewall rules or a reverse proxy with authentication. Notebook platforms should not be directly exposed to the internet without an authentication layer.
  • Monitor for WebSocket connections to /terminal/ws from unexpected sources. Legitimate use of the terminal feature should be limited to authenticated users on internal networks.
  • Inventory notebook and data science tooling in your environment. Platforms like marimo, Jupyter, and other notebook tools are frequently deployed by research teams outside of standard security review processes and may be running with broad cloud credentials.

Conclusion

CVE-2026-39987 demonstrates that the collapse of exploitation timelines is not limited to the most popular software. A critical vulnerability in a Python notebook with 20,000 GitHub stars was weaponized in under 10 hours, with no public PoC and no CVE number assigned, and a complete credential theft operation was executed in under 3 minutes. The attacker needed nothing more than the advisory text and a WebSocket client.

For defenders, the takeaway is that advisory monitoring must extend beyond CVE databases and high-profile projects. Any internet-facing application with a published critical vulnerability is a potential target within hours of disclosure, regardless of its install base.

Runtime detection, network segmentation, and rapid credential rotation remain the most effective controls when the patch window is measured in hours rather than days.