2 Sources
[1]
Critical SimpleHelp flaw exploited to deploy new stealer malware
Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux. The SimpleHelp platform is primarily used by managed service providers (MSPs), IT departments, helpdesks, and system administrators for remote monitoring and management (RMM). Earlier this month, offensive security company Horizon3.ai published details about CVE-2026-48558, saying that the flaw could be leveraged to create highly privileged technician accounts without authentication. Exploiting the vulnerability is possible on servers using the OpenID Connect (OIDC) authentication protocol. According to the researchers, around 1,000 SimpleHelp servers exposed online were running a vulnerable configuration at the time of the disclosure. In an incident investigated by managed detection and response (MDR) provider Blackpoint, a threat actor exploited the critical authentication bypass vulnerability to establish an authenticated technician session on an internet-facing SimpleHelp server before deploying the TaskWeaver malware loader and the Djinn Stealer. Based on the findings from the Adversary Pursuit Group (APG), the company's threat intelligence and research team, both pieces of malware are new and have not been documented before. "The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server," Blackpoint says. The investigation revealed that TaskWeaver was downloaded in the form of an obfuscated JavaScript file named 'jquery.js' from a temporary Cloudflare domain. TaskWeaver is a generic malware loader that fingerprints the compromised device and communicates with the command-and-control (C2) infrastructure to receive new JavaScript modules for execution. The loader then installs Djinn Stealer to collect in a single pass all the sensitive data it can find on a developer's machine, be it Windows, macOS, or Linux. Blackpoint mentions that Djinn Stealer has a particular focus on AI development tools, but targets a broad collection of developer and infrastructure credentials: * Cloud provider credentials, identity services, deployment platforms, and cloud management tools. * Git configuration, GitHub CLI, SSH keys, Docker credentials, Helm, infrastructure-as-code tools (Terraform, Pulumi), secrets management solutions (HashiCorp Vault), and package manager credentials. * Authentication data for package registries and build tools (npm, Yarn, pnpm, Cargo, Maven, Gradle, pip, NuGet), potentially enabling access to private packages or malicious package publication. * Local configuration files, authentication tokens, session data, and Model Context Protocol (MCP) configuration for AI coding assistants (Claude, Gemini, Codex, Cline, OpenCode, and Kilo). * Cryptocurrency wallets and keystores associated with multiple desktop cryptocurrency clients (Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and * Electrum). * Browser data, shell history, SSH configuration, PGP keys, database client configuration, operating system information, and other user files. On Linux, the malware also attempts to read the /proc/<pid>/cmdline and /proc/<pid>/environ virtual files that contain information about a running process, including secrets (e.g., API keys, credentials, session tokens, file paths, URLs). Blackpoint researchers warn that stealing credentials for AI development tooling, which is widely used for coding and software development, could allow attackers to inherit the AI assistant's authorized access to repositories, cloud resources, databases, and APIs. "Many of these tools rely on the Model Context Protocol (MCP) to connect an AI assistant to external tools and data on the developer's behalf, including source repositories, databases, cloud accounts, and internal APIs," explain the researchers. "The settings and tokens for those connections are stored locally in files such as ~/.claude/mcp.json. Stealing them can grant an attacker the same downstream access the developer extended to their AI agent, reaching well beyond the AI service itself." Before exfiltrating the sensitive data to the C2 server, Djinn Stealer packs it into a TAR archive, then compresses it with GZIP, and encrypts it with an AES-256-GCM key protected by an RSA-2048 public key embedded in TaskWeaver. Active exploitation of CVE-2026-48558 should serve as an urgent call for system administrators to prioritize updating SimpleHelp instances to the latest versions. It is also recommended to invalidate technician sessions that they don't recognize. If breached, rotate all credentials and API keys. Blackpoint's report provides indicators of compromise (IoCs) observed in the investigated intrusion, which include hashes for the TaskWeaver loader and Djinn Stealer, network infrastructure, host and behavioral indicators.
[2]
Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
An unknown threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Stealer. The intrusion involves the exploitation of CVE-2026-48558 (CVSS score: 10.0), a critical authentication bypass vulnerability impacting the OpenID Connect (OIDC) flow that an unauthenticated attacker could exploit to obtain a fully authenticated "Technician session by submitting a forged token containing arbitrary identity claims. "TaskWeaver is a heavily obfuscated Node.js loader, delivered as jquery.js and executed through node.exe, that implements an encrypted, reusable payload delivery channel rather than a fixed set of post exploitation commands," Blackpoint Cyber said in an analysis. "The observed second stage payload, Djinn Stealer, targets Windows, macOS, and Linux systems." Djinn Stealer is designed to harvest credentials associated with cloud platforms, source control, package registries, infrastructure tooling, AI development assistants, browsers, SSH, and cryptocurrency wallets. Details of CVE-2026-48558 emerged earlier this month when Horizon3.ai, which discovered the flaw, said it affects servers configured to use either generic OIDC or Azure AD OIDC and that it stems from the manner in which SimpleHelp validates the IdP assertions. "In many SimpleHelp deployments that have OIDC-type authentication enabled, an unauthenticated attacker can create and authenticate as a new 'Technician' user," Horizon3.ai security researcher Zach Hanley said. "This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more." "Even when the SimpleHelp server is configured to enforce MFA for technicians, this issue allows the attacker to bypass this mechanism because on first login, technicians can self-register their own MFA method." In the attack chain documented by Blackpoint Cyber, successful exploitation of the flaw in the Remote Monitoring and Management (RMM) software is said to have enabled the threat actor to obtain an authenticated "Technician" session on a publicly-accessible server, which was then abused to deploy TaskWeaver and Djinn Stealer. "The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server," researchers Nevan Beal and Sam Decker said. TaskWeaver is a modular Node.js loader capable of fingerprinting the system, establishing encrypted communications with a remote server ("a.dev-tunnels[.]com"), and retrieving and executing additional JavaScript payloads with elevated access to the Node.js runtime. The final stage is an information stealer engineered to siphon valuable data from compromised Windows, macOS, or Linux hosts. The breadth of the information targeted by the stealer is as follows - * Credentials, history, and bookmarks stored in web browsers * Configuration and authentication data associated with AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, and Consul * GitHub CLI data * Git configuration * SSH keys * Docker authentication * Helm registry information * S3 and MinIO client configurations * Subversion credentials * Credentials for npm, pnpm, Yarn, NuGet, Cargo, Composer, Maven, Gradle, pip, PyPI, Conda, Bun, Ivy, and Scala Build Tool * Configuration, authentication, session, and project data associated with Anthropic Claude, Google Gemini, OpenAI Codex, Cline, OpenCode, and Kilo * Cryptocurrency wallets and keystores associated with Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and Electrum On Linux systems, the malware also attempts to read the "/proc/<pid>/cmdline" and "/proc/<pid>/environ" virtual files that may contain information about a running process, such as passwords, API keys, access tokens, database connection strings, and other sensitive values passed through command line arguments or environment variables. Once the information is collected, it's packed into a TAR archive, compressed with GZIP, encrypted using an AES-256-GCM key protected by an RSA-2048 public key embedded in TaskWeaver, and exfiltrated to attacker-controlled infrastructure ("96.126.130[.]126:58942"). The campaign illustrates how threat actors are increasingly going after artificial intelligence (AI)-powered platforms as the technology gets embedded across enterprise workflows, enabling them to abuse the AI assistants' privileges to access sensitive data. "A single authentication bypass became a pathway into everything the managed systems could reach, from cloud platforms and code repositories to AI tools, cryptocurrency wallets, and customer infrastructure," the researchers said. "Credentials accessible from a developer or administrator workstation may provide entry into production infrastructure, build pipelines, source code repositories, deployment platforms, cloud tenants, and customer environments long after the original endpoint has been contained." The active exploitation of CVE-2026-48558 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 2, 2026.
Share
Copy Link
Threat actors are exploiting CVE-2026-48558, a critical authentication bypass flaw in SimpleHelp, to deploy TaskWeaver malware and Djinn Stealer. The cross-platform information stealer targets developer credentials, cloud infrastructure, and AI coding assistants like Claude, Gemini, and Codex across Windows, macOS, and Linux systems.
Threat actors are actively exploiting CVE-2026-48558, a maximum-severity authentication bypass flaw in SimpleHelp, to deploy two previously undocumented malware families targeting developers and IT infrastructure. The SimpleHelp vulnerability affects servers configured with OpenID Connect (OIDC) authentication protocol, allowing unauthenticated attackers to create highly privileged Technician sessions without credentials
1
2
. SimpleHelp, an RMM platform primarily used by managed service providers, IT departments, and system administrators, had approximately 1,000 vulnerable servers exposed online at the time of disclosure, according to offensive security company Horizon3.ai1
.
Source: BleepingComputer
The exploitation of a critical vulnerability begins with attackers establishing an authenticated Technician session on internet-facing SimpleHelp servers. Managed detection and response provider Blackpoint investigated an incident where the compromised RMM platform provided attackers with a trusted administrative channel capable of transferring files and executing commands on managed systems
1
. TaskWeaver malware, downloaded as an obfuscated JavaScript file named 'jquery.js' from a temporary Cloudflare domain, functions as a heavily obfuscated Node.js loader that fingerprints compromised devices and communicates with command-and-control infrastructure at a.dev-tunnels[.]com2
. The loader implements an encrypted, reusable payload delivery channel rather than fixed post-exploitation commands, allowing attackers to retrieve and execute additional JavaScript modules with elevated runtime access2
.
Source: Hacker News
Djinn Stealer represents a sophisticated cross-platform information stealer designed to collect sensitive data from Windows, macOS, and Linux systems in a single pass. The malware demonstrates particular focus on AI development tools, targeting configuration files, authentication tokens, session data, and Model Context Protocol (MCP) configurations for AI coding assistants including Claude, Gemini, Codex, Cline, OpenCode, and Kilo
1
. Blackpoint researchers warn that credential theft from these AI-powered platforms could allow attackers to inherit the AI assistant's authorized access to repositories, cloud resources, databases, and APIs1
. The stealer also harvests credentials from cloud providers including AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, and Supabase2
.The malware targets an extensive collection of developer and infrastructure credentials beyond AI coding assistants. Djinn Stealer harvests Git configuration, GitHub CLI data, SSH keys, Docker credentials, Helm registry information, and infrastructure-as-code tools including Terraform and Pulumi
1
. Authentication data for package registries and build tools such as npm, Yarn, pnpm, Cargo, Maven, Gradle, pip, and NuGet are also collected, potentially enabling access to private packages or malicious package publication1
. Cryptocurrency wallets associated with Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and Electrum are targeted alongside browser data, shell history, PGP keys, and database client configurations2
.On Linux systems, Djinn Stealer attempts to read /proc/ 2 1 2
Related Stories
The campaign illustrates how threat actors are increasingly targeting AI-powered platforms as the technology becomes embedded across enterprise workflows. Many AI development tools rely on the Model Context Protocol (MCP) to connect AI assistants to external tools and data on developers' behalf, including source repositories, databases, cloud accounts, and internal APIs
1
. Settings and tokens for these connections are stored locally in files such as ~/.claude/mcp.json, and stealing them can grant attackers the same downstream access developers extended to their AI agents1
. Blackpoint researchers noted that "a single authentication bypass became a pathway into everything the managed systems could reach, from cloud platforms and code repositories to AI tools, cryptocurrency wallets, and customer infrastructure"2
.Active exploitation of CVE-2026-48558 demands immediate attention from system administrators managing SimpleHelp instances. Organizations should prioritize updating to the latest versions and invalidate any unrecognized Technician sessions
1
. If breached, rotating all credentials and API keys is essential. The vulnerability affects servers using either generic OIDC or Azure AD OIDC, and even when SimpleHelp servers are configured to enforce multi-factor authentication for technicians, attackers can bypass this mechanism because on first login, technicians can self-register their own MFA method2
. Blackpoint's report provides indicators of compromise including hashes for TaskWeaver loader and Djinn Stealer, along with network indicators for cybersecurity teams to monitor1
.Summarized by
Navi
[1]
31 Mar 2026•Technology

27 May 2026•Technology

16 Feb 2026•Technology

1
Technology

2
Policy and Regulation

3
Technology
