A critical remote code execution vulnerability in Marimo, a popular Python notebook tool, was exploited in the wild just 10 hours after public disclosure on April 8, 2026. Sysdig Threat Research Team detected active exploitation 9 hours and 41 minutes after CVE-2026-39987 was published, with attackers stealing credentials from .env files, SSH keys, and database passwords in under 3 minutes. CISA added the flaw to its Known Exploited Vulnerabilities catalog and mandated federal agencies patch by April 11. The 10-hour timeline isn’t just remarkable—it signals the death of traditional security response windows.
They Knew Exactly What to Steal
The attackers weren’t running automated scripts. Sysdig observed four distinct WebSocket connections with manual operator behavior, each surgical in its approach. They targeted .env files containing database credentials, API keys for OpenAI and Anthropic, AWS access tokens, and Stripe secrets. Secondary targets included SSH private keys and configuration files. The entire credential theft operation completed in under 3 minutes once inside.
This precision matters. These weren’t opportunistic attacks—they were calculated strikes on high-value AI development infrastructure. Marimo users are data scientists and AI engineers working with expensive API keys and proprietary datasets. The attackers knew what they were looking for and where to find it.
One Missing Function Call, Full System Compromise
CVE-2026-39987 scored 9.3 on the CVSS scale, and the root cause was embarrassingly simple. Marimo’s /terminal/ws WebSocket endpoint skipped authentication validation that every other WebSocket route correctly enforced. The endpoint checked for edit mode and PTY support but never called WebSocketConnectionValidator.validate_auth(). An attacker could connect, receive a full pseudo-terminal shell, and execute arbitrary commands—no credentials required.
The fix in version 0.23.0 was straightforward: add the missing auth check. But by then, approximately 16% of internet-exposed Marimo instances were vulnerable, according to independent reconnaissance that sampled 186 reachable deployments. That’s 30 systems waiting to hand over root access to anyone who asked politely.
AI Development Tools: The New Supply Chain Target
Marimo isn’t an isolated incident. In March 2026, attackers compromised LiteLLM, a Python package with 97 million monthly downloads, by first hacking a security scanner in its build process. The poisoned package stole SSH keys, cloud credentials, and every API key it could find. IBM’s X-Force Threat Index reports a nearly 4X increase in supply chain compromises since 2020, driven heavily by attacks on AI development toolchains.
Why AI tools? High-value targets. Developers working with AI handle expensive API keys, proprietary training data, and cloud infrastructure credentials worth thousands or millions. These tools launch rapidly to meet AI boom demand, with security often secondary to shipping features. The result: a widening attack surface that threat actors are exploiting with increasing sophistication.
What Developers Should Do Now
If you’re running Marimo, patch immediately:
pip install --upgrade "marimo>=0.23.0"If your instance was exposed to the internet between April 8 and when you patched, assume compromise. Rotate every credential in your .env files, regenerate API keys, change database passwords, and generate new SSH keys. Review access logs for suspicious activity.
Broader lesson: stop treating .env files as secure storage. Never commit them to Git, don’t expose development tools to the public internet, and use actual secrets managers (AWS Secrets Manager, HashiCorp Vault) in production. The .env file is a convenience during local development, not a security boundary.
The Responsible Disclosure Model Is Breaking
Google Project Zero’s 90-day disclosure standard was designed for a different era. When zero-day windows collapse to 10 hours, that timeline becomes meaningless. Attackers don’t wait for coordinated disclosure schedules—they develop exploits independently and strike immediately.
This doesn’t mean abandoning disclosure. It means recognizing that critical RCE vulnerabilities with internet exposure require fundamentally different timelines. Defenders have almost no time to patch before attacks begin. Vendors need emergency patch processes, users need auto-update mechanisms, and the security community needs to rethink what “responsible” means when exploits appear faster than most organizations can deploy fixes.
The 10-hour Marimo exploit isn’t an outlier. It’s the new normal.
