Hackers exploit critical SimpleHelp vulnerability to deploy Djinn Stealer targeting AI tools

2 Sources

Share

Threat actors are exploiting CVE-2026-48558, a critical authentication bypass flaw in SimpleHelp, to deploy TaskWeaver malware and Djinn Stealer. The cross-platform information stealer targets developer credentials, cloud infrastructure, and AI coding assistants like Claude, Gemini, and Codex across Windows, macOS, and Linux systems.

Critical SimpleHelp Vulnerability Enables Widespread Attack

Threat actors are actively exploiting CVE-2026-48558, a maximum-severity authentication bypass flaw in SimpleHelp, to deploy two previously undocumented malware families targeting developers and IT infrastructure. The SimpleHelp vulnerability affects servers configured with OpenID Connect (OIDC) authentication protocol, allowing unauthenticated attackers to create highly privileged Technician sessions without credentials

1

2

. SimpleHelp, an RMM platform primarily used by managed service providers, IT departments, and system administrators, had approximately 1,000 vulnerable servers exposed online at the time of disclosure, according to offensive security company Horizon3.ai

1

.

Source: BleepingComputer

Source: BleepingComputer

TaskWeaver Malware Delivers Sophisticated Payload

The exploitation of a critical vulnerability begins with attackers establishing an authenticated Technician session on internet-facing SimpleHelp servers. Managed detection and response provider Blackpoint investigated an incident where the compromised RMM platform provided attackers with a trusted administrative channel capable of transferring files and executing commands on managed systems

1

. TaskWeaver malware, downloaded as an obfuscated JavaScript file named 'jquery.js' from a temporary Cloudflare domain, functions as a heavily obfuscated Node.js loader that fingerprints compromised devices and communicates with command-and-control infrastructure at a.dev-tunnels[.]com

2

. The loader implements an encrypted, reusable payload delivery channel rather than fixed post-exploitation commands, allowing attackers to retrieve and execute additional JavaScript modules with elevated runtime access

2

.

Source: Hacker News

Source: Hacker News

Djinn Stealer Targets Developer Credentials and AI Development Tools

Djinn Stealer represents a sophisticated cross-platform information stealer designed to collect sensitive data from Windows, macOS, and Linux systems in a single pass. The malware demonstrates particular focus on AI development tools, targeting configuration files, authentication tokens, session data, and Model Context Protocol (MCP) configurations for AI coding assistants including Claude, Gemini, Codex, Cline, OpenCode, and Kilo

1

. Blackpoint researchers warn that credential theft from these AI-powered platforms could allow attackers to inherit the AI assistant's authorized access to repositories, cloud resources, databases, and APIs

1

. The stealer also harvests credentials from cloud providers including AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, and Supabase

2

.

Broad Scope of Targeted Infrastructure and Credentials

The malware targets an extensive collection of developer and infrastructure credentials beyond AI coding assistants. Djinn Stealer harvests Git configuration, GitHub CLI data, SSH keys, Docker credentials, Helm registry information, and infrastructure-as-code tools including Terraform and Pulumi

1

. Authentication data for package registries and build tools such as npm, Yarn, pnpm, Cargo, Maven, Gradle, pip, and NuGet are also collected, potentially enabling access to private packages or malicious package publication

1

. Cryptocurrency wallets associated with Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and Electrum are targeted alongside browser data, shell history, PGP keys, and database client configurations

2

.

Advanced Exfiltration and Encryption Techniques

On Linux systems, Djinn Stealer attempts to read /proc//cmdline and /proc//environ virtual files containing information about running processes, including passwords, API keys, access tokens, and database connection strings passed through command line arguments or environment variables

2

. Before exfiltration, the malware packs collected data into a TAR archive, compresses it with GZIP, and encrypts it using an AES-256-GCM key protected by an RSA-2048 public key embedded in TaskWeaver

1

. The encrypted data is then exfiltrated to attacker-controlled infrastructure at 96.126.130[.]126:58942

2

.

Implications for AI-Powered Development Environments

The campaign illustrates how threat actors are increasingly targeting AI-powered platforms as the technology becomes embedded across enterprise workflows. Many AI development tools rely on the Model Context Protocol (MCP) to connect AI assistants to external tools and data on developers' behalf, including source repositories, databases, cloud accounts, and internal APIs

1

. Settings and tokens for these connections are stored locally in files such as ~/.claude/mcp.json, and stealing them can grant attackers the same downstream access developers extended to their AI agents

1

. Blackpoint researchers noted that "a single authentication bypass became a pathway into everything the managed systems could reach, from cloud platforms and code repositories to AI tools, cryptocurrency wallets, and customer infrastructure"

2

.

Urgent Actions Required for System Administrators

Active exploitation of CVE-2026-48558 demands immediate attention from system administrators managing SimpleHelp instances. Organizations should prioritize updating to the latest versions and invalidate any unrecognized Technician sessions

1

. If breached, rotating all credentials and API keys is essential. The vulnerability affects servers using either generic OIDC or Azure AD OIDC, and even when SimpleHelp servers are configured to enforce multi-factor authentication for technicians, attackers can bypass this mechanism because on first login, technicians can self-register their own MFA method

2

. Blackpoint's report provides indicators of compromise including hashes for TaskWeaver loader and Djinn Stealer, along with network indicators for cybersecurity teams to monitor

1

.

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved