- A critical security vulnerability (CVE-2026-39987) in the open-source Python notebook Marimo was exploited within 9 hours and 41 minutes of public disclosure.
- The flaw allowed unauthenticated attackers to obtain a full system shell and execute arbitrary commands on any exposed instance, bypassing authentication.
- The first observed attack involved manual reconnaissance to harvest credentials from the .env file and search for SSH keys, but no additional malware was deployed.
- Attackers built a working exploit directly from the advisory description, demonstrating the shrinking window for defenders to apply critical patches.
In a stark demonstration of modern cyber threat velocity, a critical flaw in the Marimo data science notebook was weaponized by attackers less than 10 hours after its public disclosure on April 10, 2026, according to findings from Sysdig. The vulnerability, a pre-authenticated remote code execution bug tracked as CVE-2026-39987 with a CVSS score of 9.3, impacted all versions up to and including 0.20.4.
Maintainers stated in an advisory that the terminal WebSocket endpoint completely skipped authentication verification. Consequently, an unauthenticated attacker could connect and obtain a full interactive PTY shell to execute arbitrary system commands.
Sysdig’s honeypot recorded the first exploitation attempt just 9 hours and 41 minutes post-disclosure, even without public proof-of-concept code. The unknown threat actor manually explored the file system and systematically attempted to harvest data, notably targeting the .env file and SSH keys.
The attacker returned to the compromised system an hour later to access stolen data and check for other malicious activity. Meanwhile, no other payloads like cryptocurrency miners or backdoors were installed during these sessions.
This rapid exploitation highlights how threat actors closely monitor vulnerability disclosures. The incident proves that any internet-facing application with a critical advisory is a target, regardless of its popularity.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
