Critical SimpleHelp flaw exploited to deploy new stealer malware

Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux.

The SimpleHelp platform is primarily used by managed service providers (MSPs), IT departments, helpdesks, and system administrators for remote monitoring and management (RMM).

Earlier this month, offensive security company Horizon3.ai published details about CVE-2026-48558, saying that the flaw could be leveraged to create highly privileged technician accounts without authentication.

Exploiting the vulnerability is possible on servers using the OpenID Connect (OIDC) authentication protocol. According to the researchers, around 1,000 SimpleHelp servers exposed online were running a vulnerable configuration at the time of the disclosure.

In an incident investigated by managed detection and response (MDR) provider Blackpoint, a threat actor exploited the critical authentication bypass vulnerability to establish an authenticated technician session on an internet-facing SimpleHelp server before deploying the TaskWeaver malware loader and the Djinn Stealer.

Based on the findings from the Adversary Pursuit Group (APG), the company’s threat intelligence and research team, both pieces of malware are new and have not been documented before.

“The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server,” Blackpoint says.

The investigation revealed that TaskWeaver was downloaded in the form of an obfuscated JavaScript file named ‘jquery.js’ from a temporary Cloudflare domain.

TaskWeaver is a generic malware loader that fingerprints the compromised device and communicates with the command-and-control (C2) infrastructure to receive new JavaScript modules for execution.

The loader then installs Djinn Stealer to collect in a single pass all the sensitive data it can find on a developer’s machine, be it Windows, macOS, or Linux.

Blackpoint mentions that Djinn Stealer has a particular focus on AI development tools, but targets a broad collection of developer and infrastructure credentials:

• Cloud provider credentials, identity services, deployment platforms, and cloud management tools.
• Git configuration, GitHub CLI, SSH keys, Docker credentials, Helm, infrastructure-as-code tools (Terraform, Pulumi), secrets management solutions (HashiCorp Vault), and package manager credentials.
• Authentication data for package registries and build tools (npm, Yarn, pnpm, Cargo, Maven, Gradle, pip, NuGet), potentially enabling access to private packages or malicious package publication.
• Local configuration files, authentication tokens, session data, and Model Context Protocol (MCP) configuration for AI coding assistants (Claude, Gemini, Codex, Cline, OpenCode, and Kilo).
• Cryptocurrency wallets and keystores associated with multiple desktop cryptocurrency clients (Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and
• Electrum).
• Browser data, shell history, SSH configuration, PGP keys, database client configuration, operating system information, and other user files.

On Linux, the malware also attempts to read the /proc/<pid>/cmdline and /proc/<pid>/environ virtual files that contain information about a running process, including secrets (e.g., API keys, credentials, session tokens, file paths, URLs).

Blackpoint researchers warn that stealing credentials for AI development tooling, which is widely used for coding and software development, could allow attackers to inherit the AI assistant’s authorized access to repositories, cloud resources, databases, and APIs.

“Many of these tools rely on the Model Context Protocol (MCP) to connect an AI assistant to external tools and data on the developer’s behalf, including source repositories, databases, cloud accounts, and internal APIs,” explain the researchers.

“The settings and tokens for those connections are stored locally in files such as ~/.claude/mcp.json. Stealing them can grant an attacker the same downstream access the developer extended to their AI agent, reaching well beyond the AI service itself.”

Before exfiltrating the sensitive data to the C2 server, Djinn Stealer packs it into a TAR archive, then compresses it with GZIP, and encrypts it with an AES-256-GCM key protected by an RSA-2048 public key embedded in TaskWeaver.

Active exploitation of CVE-2026-48558 should serve as an urgent call for system administrators to prioritize updating SimpleHelp instances to the latest versions.

It is also recommended to invalidate technician sessions that they don’t recognize. If breached, rotate all credentials and API keys.

Blackpoint’s report provides indicators of compromise (IoCs) observed in the investigated intrusion, which include hashes for the TaskWeaver loader and Djinn Stealer,  network infrastructure, host and behavioral indicators.