Hackers are leveraging a recently disclosed critical vulnerability, **CVE-2026-48558**, in the **SimpleHelp** platform to deploy **Djinn Stealer**. This previously undocumented cross-platform information stealer targets Windows, macOS, and Linux environments. **SimpleHelp** is widely utilized by managed service providers (**MSPs**), IT departments, helpdesks, and system administrators for remote monitoring and management (**RMM**). ### The Critical SimpleHelp Vulnerability Earlier this month, offensive security firm **Horizon3.ai** detailed **CVE-2026-48558**, an authentication bypass flaw that permits the creation of highly privileged technician accounts without proper authentication. The vulnerability is exploitable on **SimpleHelp** servers configured with the **OpenID Connect (OIDC)** authentication protocol. At the time of disclosure, approximately 1,000 **SimpleHelp** servers exposed online were found to be running a vulnerable configuration. ### Djinn Stealer in Action **Blackpoint**, a managed detection and response (**MDR**) provider, investigated an incident where a threat actor exploited this critical flaw. The attacker established an authenticated technician session on an internet-facing **SimpleHelp** server, subsequently deploying the **TaskWeaver** malware loader and the **Djinn Stealer**. According to **Blackpoint**'s **Adversary Pursuit Group (APG)**, both **TaskWeaver** and **Djinn Stealer** are new and had not been documented prior to this discovery. "The compromised **RMM** platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server," **Blackpoint** stated in their report. ### How TaskWeaver and Djinn Stealer Operate The investigation revealed that **TaskWeaver** was delivered as an obfuscated JavaScript file, named ‘jquery.js,’ downloaded from a temporary **Cloudflare** domain. **TaskWeaver** functions as a generic malware loader. It fingerprints the compromised device and communicates with its command-and-control (**C2**) infrastructure to receive additional JavaScript modules for execution. The loader then installs **Djinn Stealer**. **Djinn Stealer** is designed to perform a comprehensive data collection sweep, targeting sensitive information from developer machines across Windows, macOS, and Linux. ### Focus on AI Development Tools and Developer Credentials **Blackpoint** highlights that **Djinn Stealer** specifically targets AI development tools, alongside a broad array of other developer and infrastructure credentials. This includes: * Cloud provider credentials, identity services, deployment platforms, and cloud management tools. * Git configuration, **GitHub CLI**, **SSH** keys, **Docker** credentials, **Helm**, infrastructure-as-code tools (**Terraform**, **Pulumi**), secrets management solutions (**HashiCorp Vault**), and package manager credentials. * Authentication data for package registries and build tools (**npm**, **Yarn**, **pnpm**, **Cargo**, **Maven**, **Gradle**, **pip**, **NuGet**), potentially enabling access to private packages or facilitating malicious package publication. * Local configuration files, authentication tokens, session data, and **Model Context Protocol (MCP)** configuration for AI coding assistants (**Claude**, **Gemini**, **Codex**, **Cline**, **OpenCode**, and **Kilo**). * Cryptocurrency wallets and keystores associated with desktop cryptocurrency clients (**Bitcoin**, **Litecoin**, **Dogecoin**, **Dash**, **Ethereum**, **Monero**, **Zcash**, **Exodus**, **Atomic Wallet**, and **Electrum**). * Browser data, shell history, **SSH** configuration, **PGP** keys, database client configuration, operating system information, and other user files. On Linux systems, the malware also attempts to read virtual files like `/proc/<pid>/cmdline` and `/proc/<pid>/environ`, which can contain process-related secrets such as **API** keys, credentials, and session tokens.  **Blackpoint** researchers warn that the theft of credentials for AI development tooling could grant attackers the same authorized access to repositories, cloud resources, databases, and **APIs** that the **AI** assistant possesses.  “Many of these tools rely on the **Model Context Protocol (MCP)** to connect an **AI** assistant to external tools and data on the developer's behalf, including source repositories, databases, cloud accounts, and internal **APIs**,” the researchers explained. “The settings and tokens for those connections are stored locally in files such as `~/.claude/mcp.json`. Stealing them can grant an attacker the same downstream access the developer extended to their **AI** agent, reaching well beyond the **AI** service itself.” Before exfiltrating the collected data to the **C2** server, **Djinn Stealer** packages it into a **TAR** archive, compresses it with **GZIP**, and encrypts it using an **AES-256-GCM** key protected by an **RSA-2048** public key embedded within **TaskWeaver**.  ### Urgent Call to Action Active exploitation of **CVE-2026-48558** underscores the urgent need for system administrators to prioritize updating their **SimpleHelp** instances to the latest versions. It is also recommended to invalidate any unrecognized technician sessions and, in the event of a breach, rotate all credentials and **API** keys. **Blackpoint**'s report provides comprehensive indicators of compromise (**IoCs**) from the observed intrusion, including hashes for the **TaskWeaver** loader and **Djinn Stealer**, network infrastructure details, and host and behavioral indicators.