A critical flaw in Python tool Marimo was exploited within 10 hours of disclosure, researchers report, highlighting how quickly attackers are now turning vulnerability advisories into real-world attacks.
Marimo is an open-source Python notebook environment used by developers and data scientists for interactive coding, data analysis, and experiments.
The notebook lets users run code in cells and instantly see results, without outputs updating automatically. Because it can connect to datasets, APIs, and cloud services, it can be vulnerable if exposed.
Marimo was found to have a WebSocket implementation that provides an interactive terminal but also runs without proper authentication, allowing anyone to open a hidden connection to the system and get a live command line without logging in.
What the Sysdig Threat Research Team discovered is that the timeline from initial announcement of the fault was 9 hours 41 minutes.
The threat researchers claim the attacker developed their exploit code solely from an advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment.
As the researchers point out, this also happened with another similar open-source tool, Langflow, where, with no public exploit, the vulnerability CVE-2026-33017 was exploited within 20 hours.
“This Marimo vulnerability exploitation cuts that time in less than half.”
The weaponization of niche software
With 20,000 GitHub stars, Marimo is not a household name but appears to be gaining popularity against rival tools such as Jupyter.
Sysdig’s threat research team suggests that hackers are monitoring advisory feeds broadly, not just for high-profile targets.
Check if your data has been leaked
They are also capable of weaponizing niche software within hours of disclosure.
Sysdig added that attackers may also be using AI to analyze vulnerability advisories, build working exploits, and accelerate their operations.
In its research, Sysdig used ‘honeypot’ systems to monitor real-world exploitation and observe how quickly threat actors moved from initial access to probing and data theft.
In one observed case, the attacker first verified access with simple commands before manually exploring the environment and reading .env files to extract credentials.
The activity was not automated, suggesting a hands-on attacker with a clear understanding of developer environments where sensitive data is stored.
At the time of writing, no CVE number has been assigned to this flaw.
Glasswing: AI accelerates research, but also exploits
A key takeaway from Sysdig was that niche or less popular software is not safer than larger enterprise tools and that the patch window is rapidly disappearing.
Internet-facing dev tools, especially those holding credentials or sensitive data, can be targeted within hours of a vulnerability becoming public.
The incident echoes the debate around Glasswing, Anthropic’s new security initiative, which is built around the idea that AI can dramatically accelerate vulnerability research.
Marimo shows how that acceleration cuts both ways, with AI able to shrink the gap between advisory and attack.
Glasswing is built around Anthropic’s latest AI model, Claude Mythos, which is being limited to 12 big tech companies, including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked