Posted in

Critical SimpleHelp Flaw Exploited to Deploy TaskWeaver and Djinn Stealer Malware

A previously unknown threat actor is actively exploiting a critical vulnerability in SimpleHelp remote monitoring and management (RMM) software to deploy two newly identified malware families—TaskWeaver and Djinn Stealer.

The campaign takes advantage of CVE-2026-48558, a maximum-severity authentication bypass vulnerability with a CVSS score of 10.0. The flaw affects SimpleHelp servers configured with OpenID Connect (OIDC) authentication and allows attackers to gain unauthorized technician-level access by submitting forged identity tokens.

Critical Authentication Bypass Opens the Door

The vulnerability impacts deployments using generic OIDC or Azure Active Directory OIDC authentication. Due to improper validation of identity provider (IdP) assertions, attackers can create a fully authenticated technician session without valid credentials.

Once authenticated, the attacker gains the same privileges as a legitimate technician, including the ability to remotely access managed systems, execute scripts, transfer files, and perform administrative actions. Even environments protected by multi-factor authentication (MFA) remain vulnerable because newly created technician accounts can register their own MFA method during the initial login.

Attack Chain Deploys TaskWeaver Loader

After successfully exploiting the flaw, the attackers use the compromised SimpleHelp server to distribute TaskWeaver, a heavily obfuscated Node.js-based malware loader.

Disguised as jquery.js and executed through node.exe, TaskWeaver establishes an encrypted communication channel with a remote command-and-control server. Rather than embedding malicious functionality directly, the loader downloads and executes additional JavaScript payloads, making it highly modular and difficult to analyze.

The malware also collects system information before retrieving its next-stage payload.

Djinn Stealer Targets Multiple Operating Systems

The second-stage malware, Djinn Stealer, is an advanced information stealer capable of infecting Windows, macOS, and Linux systems.

Its primary objective is to harvest sensitive credentials and configuration files from a wide range of applications, cloud platforms, development tools, and cryptocurrency wallets.

Data Targeted by Djinn Stealer

The malware is designed to collect:

  • Browser passwords, browsing history, and bookmarks
  • SSH keys and Git configuration files
  • GitHub CLI credentials
  • Docker authentication data
  • Helm registry credentials
  • Amazon S3 and MinIO configurations
  • Subversion credentials
  • Cloud platform credentials for AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Terraform, Pulumi, HashiCorp Vault, Consul, Cloudflare, and Okta
  • Package manager credentials for npm, pnpm, Yarn, NuGet, Cargo, Composer, Maven, Gradle, pip, PyPI, Conda, Bun, Ivy, and Scala Build Tool
  • Authentication data related to AI development tools, including Anthropic Claude, Google Gemini, OpenAI Codex, Cline, OpenCode, and Kilo
  • Cryptocurrency wallet data for Bitcoin, Ethereum, Litecoin, Dogecoin, Dash, Monero, Zcash, Exodus, Atomic Wallet, and Electrum

On Linux systems, Djinn Stealer also inspects the /proc filesystem to extract sensitive information such as passwords, API keys, authentication tokens, and database connection strings stored in process arguments or environment variables.

Encrypted Data Exfiltration

After gathering the stolen information, the malware packages the data into a TAR archive, compresses it using GZIP, and encrypts it with AES-256-GCM. The encryption key is further protected using an embedded RSA-2048 public key before the archive is transmitted to attacker-controlled infrastructure.

This layered encryption makes it more difficult for defenders to inspect or recover stolen data during transmission.

AI Platforms Become a New Target

The campaign highlights an emerging trend in cyberattacks where threat actors are expanding beyond traditional credentials to target AI-powered development assistants and enterprise productivity tools.

Compromising these platforms can provide attackers with access to proprietary source code, cloud environments, deployment pipelines, infrastructure credentials, and sensitive customer data, significantly increasing the impact of a single successful intrusion.

CISA Adds Vulnerability to KEV Catalog

Due to active exploitation in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-48558 to its Known Exploited Vulnerabilities (KEV) catalog.

Federal Civilian Executive Branch (FCEB) agencies are required to apply security updates by July 2, 2026, emphasizing the urgency of patching affected SimpleHelp deployments.

Recommendations for Organizations

Organizations using SimpleHelp should immediately install the latest security updates, review technician accounts for unauthorized access, enforce strict monitoring of remote management activities, and investigate systems for signs of TaskWeaver or Djinn Stealer infections. Administrators should also rotate exposed credentials, particularly those related to cloud services, development platforms, AI tools, and cryptocurrency wallets, if compromise is suspected.

Leave a Reply

Your email address will not be published. Required fields are marked *