Cyber Threat Brief — April 11 2026
⚠️ This report is AI-generated. Always validate findings.
1. Marimo Python Notebook Pre-Auth RCE — CVE-2026-39987
TL;DR: CVE-2026-39987 (CVSS 9.3) gives unauthenticated attackers a full PTY shell on any Marimo instance via the /terminal/ws WebSocket endpoint — no token, no interaction. Sysdig confirmed ITW exploitation within 10 hours of disclosure on April 10.
What’s New:
- Vulnerable endpoint:
ws://<host>:<port>/terminal/ws— skipsvalidate_auth()entirely, only checks running mode and platform - Attacker completes a standard WebSocket handshake and receives an interactive shell as the Marimo process user
- Sysdig honeypots observed credential-harvesting payloads within 9h41m of advisory publication — no public PoC existed at that time
- Affects all Marimo versions ≤0.20.4; patched in 0.23.0
- Data-science notebooks often run as root or with broad cloud IAM — lateral movement risk is high
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Inbound WebSocket upgrade to /terminal/ws from untrusted source | URI | T1190 | Reverse-proxy access logs, Zeek http.log, WAF | Alert — this path should never receive external traffic |
WebSocket connection to Marimo without access_token parameter | Auth bypass | T1190 | Application logs, reverse-proxy headers | Alert — legitimate sessions carry a token |
Shell commands (e.g., cat /etc/shadow, curl, wget) over WebSocket PTY | Payload | T1059.004 | Marimo process stdout/stderr, Sysmon for Linux EID 1, auditd execve | Alert — notebook backend spawning interactive shell commands |
Marimo process (python -m marimo) spawning sh, bash, curl, wget, nc | Process | T1059.004 | EDR, Sysmon for Linux, auditd | Alert — data-notebook process should not fork shells to external input |
| Outbound connections from Marimo host to non-allowlisted IPs after WebSocket session | Network | T1041 | Zeek conn.log, NetFlow, cloud VPC flow logs | Hunt — correlate with WebSocket accept timestamps |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Linux Proxy Socks Curl (adjacent, post-exploit curl) | Need: WebSocket upgrade to /terminal/ws without auth token; python parent spawning interactive shell |
| Elastic | Web Application Suspicious Activity, Linux Suspicious Child Process From Web Server (adjacent) | Need: Marimo-specific URI and WebSocket upgrade detection |
| Sigma | proc_creation_lnx_susp_child_process_from_web_server.yml (adjacent) | Need: WebSocket /terminal/ws path in proxy rule; Marimo process-tree rule |
Sources: The Hacker News · Endor Labs · Vulert · LufSec
2. Smart Slider 3 Pro Supply-Chain Backdoor
TL;DR: Attackers compromised Nextend’s update infrastructure and shipped a weaponized Smart Slider 3 Pro v3.5.1.35 update for ~6 hours (April 7-8). The backdoor creates hidden admin accounts, drops persistent webshells, and exfiltrates full site credentials to wpjs1[.]com.
What’s New:
- Malicious version 3.5.1.35 distributed via legitimate Nextend update channel; auto-updating sites received it silently
- Multi-stage persistence: hidden WP admin (
wpsvc_a3f1), webshell viacf_check.php, RCE via HTTP headersX-Cache-Status/X-Cache-Key→shell_exec() - Hidden user invisible to admin UI via hooked
pre_user_queryandviews_usersfilters - Three WP options store backdoor state:
_wpc_ak(auth key),_wpc_uid(hidden user ID),_wpc_uinfo(base64 credentials) - C2 registration:
POST https://wpjs1[.]com/api/v3/register-agentwith JSON payload containing site URL, WP admin creds in plaintext, DB name, PHP version, persistence method list
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
wpjs1[.]com (C2 domain) | Domain | T1071.001 | DNS logs, proxy logs, Zeek dns.log | Block and hunt — any resolution is confirmed compromise |
POST /api/v3/register-agent to wpjs1[.]com | HTTP | T1041 | Web proxy, WAF egress logs | Alert — credential exfiltration beacon |
Files named cf_check.php in /cache/ or /media/ directories | File | T1505.003 | FIM, EDR file-create events, find sweeps | Alert — webshell indicator |
WP users matching wpsvc_* pattern | Account | T1136.001 | WP audit logs (wp_users table), wp-cli user list | Hunt and remove — hidden admin account |
WP options _wpc_ak, _wpc_uid, _wpc_uinfo | Persistence | T1547 | WP database queries, wp_options table audit | Hunt and remove — backdoor state storage |
HTTP requests with X-Cache-Key header containing PHP code / base64 | Payload | T1059.001 | WAF, reverse-proxy logs, ModSecurity | Alert — header-based RCE trigger |
eval(base64_decode( in PHP files under plugin directories | Code | T1027 | FIM, YARA scans, grep -r | Alert — obfuscated webshell pattern |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Detect (generic webshell), Detect New Web Application Accounts (adjacent) | Need: WordPress-specific hidden admin detection via pre_user_query hook; X-Cache-Key header payload inspection |
| Elastic | Webshell Detection: Script Process Child of Common Web Processes | Need: PHP shell_exec triggered via HTTP header; cf_check.php file-create rule |
| Sigma | webshell_detection_generic.yml, web_php_shell_exec.yml (adjacent) | Need: wpjs1[.]com domain IOC; _wpc_* option-name pattern in DB audit |
Sources: Patchstack Analysis · BleepingComputer · The Hacker News · mySites.guru
3. UNC6783 (Mr. Raccoon) — BPO-to-Enterprise Extortion Campaign
TL;DR: Google TIG disclosed UNC6783, a financially motivated group that breaches enterprises by social-engineering BPO helpdesk staff via live chat, stealing data, and extorting payment. Several dozen orgs hit; Adobe breach attributed to same persona.
What’s New:
- Initial access via live-chat social engineering (not email phishing) — attacker directs helpdesk agents to spoofed Okta pages
- Phishing domain pattern:
<org>[.]zendesk-support<##>[.]com— spoofed Okta credential harvester with clipboard-stealing MFA bypass - Post-MFA bypass: attacker enrolls their own device for persistent access to victim Okta tenant
- Secondary vector: fake security software downloads delivering remote access malware
- Extortion via ProtonMail; Adobe breach attributed to Mr. Raccoon persona — claimed 13M support tickets, 15K employee records, HackerOne submissions
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Domains matching *zendesk-support*[.]com pattern | Domain | T1566.003 | DNS logs, proxy logs, email gateway | Block wildcard and hunt — all are phishing infra |
| New MFA device enrollment from unexpected geo/IP after helpdesk interaction | Auth event | T1556.006 | Okta system logs (device.enrollment), Azure AD sign-in logs | Alert — correlate with helpdesk ticket timestamps |
| Live-chat sessions directing agents to external URLs | Social engineering | T1534 | Zendesk/helpdesk audit logs, chat transcripts | Hunt — flag URLs in chat pointing outside org domains |
| ProtonMail-sourced extortion emails referencing stolen data | T1657 | Email gateway, mail flow logs | Alert — extortion indicator | |
| Remote access tool installation following helpdesk-sourced link | Execution | T1219 | EDR, Sysmon EID 1, application install logs | Alert — correlate with helpdesk interaction timeline |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Okta New Device Enrolled on Account, Okta MFA Exhaustion Hunt (adjacent) | Need: MFA enrollment correlated with helpdesk ticket creation window; zendesk-support domain pattern in proxy |
| Elastic | Potential Credential Access via Okta, First Occurrence of User Agent | Need: BPO-origin session correlation; chat-to-phish pivot detection |
| Sigma | okta_new_device_enrollment.yml (if exists) | Need: Helpdesk-chat URL extraction rule; spoofed Okta domain pattern match |
Sources: Google TIG via The Register · BleepingComputer · SecurityWeek · Field Effect · Austin Larsen
Status Updates
- CVE-2026-1340 (Ivanti EPMM): Added to CISA KEV on April 8; patch immediately if not already applied. Original brief: April 5.
- CVE-2026-35616 (FortiClient EMS): Added to CISA KEV on April 9; federal agencies required to patch by deadline. Original brief: April 3.
- CyberAv3ngers PLC Campaign (AA26-097A): Joint CISA advisory released April 10 with updated Rockwell Automation/Allen-Bradley targeting details and Dropbear SSH IOCs. Original brief: April 8.