04/08/2026-04/15/2026 Marimo RCE Flaw, 0-Day Vulnerability Actively Exploited, New FortiClient EMS flaw And More.

1. Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure

A critical vulnerability in Marimo, an open-source Python notebook for data science, was exploited within 10 hours of disclosure, according to Sysdig. The flaw, CVE-2026-39987 (CVSS 9.3), is a pre-authentication remote code execution bug affecting versions up to 0.20.4 and fixed in 0.23.0.

The issue stems from the /terminal/ws WebSocket endpoint lacking authentication checks. Unlike other endpoints, it skips validation entirely, allowing attackers to gain a full interactive shell without credentials and execute arbitrary commands.

Sysdig observed exploitation just under 10 hours after disclosure, even without public proof-of-concept code. An attacker accessed a honeypot system, explored files, and attempted to extract sensitive data such as .env contents and SSH keys. The intruder returned multiple times, suggesting manual activity.

The incident highlights how quickly attackers weaponize new vulnerabilities, shrinking response time. It also shows that any internet-exposed system—not just popular platforms—can become an immediate target.

2. CISA Warns of Chrome 0-Day Vulnerability Actively Exploited in Attacks

 A critical zero-day vulnerability in Google Chrome is being actively exploited, prompting urgent warnings for users worldwide. Tracked as CVE-2026-5281, the flaw was added to CISA’s Known Exploited Vulnerabilities catalog on April 1, 2026.
The bug is a Use-After-Free issue in Google Dawn, enabling attackers to execute code after tricking users into visiting a malicious webpage. Successful exploitation can lead to system compromise, data theft, or malware installation. Because the issue affects the Chromium engine, other browsers like Microsoft Edge, Opera, Vivaldi, and Brave are also impacted.

Security agencies urge immediate updates once patches are available. CISA requires federal agencies to mitigate the flaw by April 15, highlighting the urgency of patching or discontinuing vulnerable systems.

3. Exposed ComfyUI Servers Hijacked For Cryptomining and Proxy Botnet Operations

Hackers are hijacking exposed ComfyUI servers, turning them into cryptomining systems and proxy botnet nodes. Over 1,000 internet-accessible instances—often running on GPU-rich cloud platforms—present a valuable target due to weak or absent authentication.

According to Censys ARC, attackers scan for vulnerable servers and exploit ComfyUI’s custom node feature, which can execute arbitrary Python code. By submitting malicious workflows, they achieve remote code execution without needing a traditional vulnerability.

Compromised systems run XMRig and lolMiner to mine Monero and Conflux, while also joining a Hysteria-based proxy botnet. A Flask-based control panel manages infected machines.

The malware uses stealth techniques like fileless execution and rootkits to persist. Experts warn administrators to secure ComfyUI deployments, restrict risky nodes, and monitor for unusual activity to prevent compromise.

4. New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy

Cybersecurity researchers report a new variant of Chaos malware targeting misconfigured cloud environments, expanding beyond routers and edge devices. The malware now actively exploits weak cloud setups such as exposed Hadoop instances.

Chaos is a cross-platform threat affecting Windows and Linux. It can execute remote commands, deploy payloads, mine cryptocurrency, and launch DDoS attacks. The latest version drops older propagation methods and introduces a SOCKS proxy feature, allowing infected systems to relay malicious traffic and hide attacker activity. Researchers observed the malware being deployed via malicious shell commands that download and execute a binary, then erase traces. Infrastructure linked to the campaign overlaps with past activity from Silver Fox. This evolution shows attackers are diversifying botnets for profit, combining cryptomining, DDoS, and proxy services.

5. New FortiClient EMS flaw Exploited in Attacks, Emergency Patch Released

Fortinet has issued an emergency update for a critical vulnerability in FortiClient Enterprise Management Server that is actively exploited. Tracked as CVE-2026-35616, the flaw is an improper access control issue allowing unauthenticated attackers to execute code via crafted requests. The bug affects versions 7.4.5 and 7.4.6 and was patched over the weekend. Fortinet confirmed in-the-wild exploitation and urged users to install hotfixes immediately. The issue will also be resolved in version 7.4.7, while version 7.2 is not impacted.

The flaw enables attackers to bypass authentication entirely. Researchers observed it being used as a zero-day before disclosure. Meanwhile, Shadowserver Foundation reported over 2,000 exposed EMS instances online.

This follows another actively exploited flaw, CVE-2026-21643, highlighting the urgency for organizations to patch systems or upgrade promptly.

6. CVE-2026-39363: Arbitrary File Read via WebSocket Authorization Bypass in Vite

CVE-2026-39363 is a high-severity vulnerability in the Vite development server that allows attackers to read arbitrary files from the host system. The flaw lies in a WebSocket-based RPC channel used for features like Hot Module Replacement. Unlike Vite’s HTTP middleware, this channel fails to enforce filesystem access restrictions. An unauthenticated attacker with network access can send crafted WebSocket messages to invoke internal functions like fetchModule, forcing the server to read sensitive files (e. g., /etc/passwd or .env). The server then returns the file contents, exposing source code, credentials, and system data. The issue stems from missing authorization checks in the WebSocket layer, which bypasses security controls defined in server.fs.allow. Patches fix this by enforcing validation within core logic and disabling vulnerable features by default. Users should upgrade to secure Vite versions immediately, restrict server access to localhost, and avoid exposing development servers to public networks to reduce risk.

7. New MacOS Stealer Campaign Uses Script Editor in ClickFix Attack

A new campaign is spreading Atomic Stealer (AMOS) malware to macOS users by abusing Script Editor in a variant of the ClickFix attack. Instead of tricking users into running Terminal commands, attackers use fake Apple-themed websites offering “disk cleanup” guides. These pages include instructions that trigger Script Editor via a special link, automatically loading malicious AppleScript. The script executes an obfuscated command that downloads and runs malware directly in memory. It installs a hidden binary, bypasses security checks, and launches AMOS.

Atomic Stealer can extract sensitive data such as Keychain information, browser passwords, cookies, crypto wallets, and credit card details. It may also install a backdoor for persistent access. Although newer macOS versions warn against similar Terminal attacks, this method avoids those protections. Users are advised to treat unexpected Script Editor prompts as high-risk and only follow trusted, official Apple documentation when troubleshooting.