Critical SimpleHelp RMM Flaw Exploited to Deploy Djinn Stealer & TaskWeaver Malware
Attackers exploit CVE-2026-48558 authentication bypass in SimpleHelp to deploy previously undocumented Djinn Stealer infostealer and TaskWeaver loader targeting Windows, macOS, and Linux systems.
Attack Brief
TargetSimpleHelp remote monitoring and management (RMM) platformVectorAuthentication bypass via OpenID Connect (OIDC) protocol misconfiguration (CVE-2026-48558) to create privileged technician accounts and deploy malwareAttributionunattributed
Technical Details
CVE IDsCVE-2026-48558MITRE ATT&CKT1078T1105T1059.007T1005T1555IoCsjquery.js (obfuscated JavaScript loader)temporary Cloudflare domain (C2)AffectedSimpleHelp servers configured with OpenID Connect (OIDC) authentication; approximately 1,000 vulnerable instances exposed online at time of disclosure
Impact
Sectorsmanaged service providers (MSPs)IT departmentssystem administrationsoftware developmentConfirmed DamageDjinn Stealer targets developer credentials including cloud provider accounts, Git/GitHub credentials, SSH keys, Docker credentials, Terraform/Pulumi configurations, HashiCorp Vault secrets, npm/Yarn/pip package manager credentials, AI coding assistant tokens (Claude, Gemini, Codex, Cline), cryptocurrency wallets (Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, Electrum), browser data, shell history, PGP keys, and database client configurations
Mitigation
DetectionMonitor for creation of unauthorized technician accounts on SimpleHelp servers; detect obfuscated JavaScript file transfers named 'jquery.js'; identify C2 communications to temporary Cloudflare domains from managed systems
Context
Similar AttacksTaskWeaver functions as generic malware loader performing device fingerprinting and receiving JavaScript modules from C2 infrastructure; Djinn Stealer represents new cross-platform infostealer with focus on developer toolchain and AI assistant credentials