A newly identified cyber campaign is exploiting a critical vulnerability in SimpleHelp remote monitoring and management software to deploy two previously undocumented malware families, TaskWeaver and Djinn Stealer. Security researchers at Blackpoint Cyber reported that the attackers are taking advantage of CVE 2026 48558, a maximum severity authentication bypass vulnerability with a CVSS score of 10.0. The flaw affects the OpenID Connect authentication process and allows unauthenticated attackers to obtain a fully authenticated Technician session by submitting forged identity claims. Once access is established, threat actors can abuse the trusted management capabilities of the compromised server to execute commands, transfer files, and deploy malware across managed systems. Researchers said the activity demonstrates how vulnerabilities in remote management platforms can provide direct access to enterprise environments and expose valuable business assets.
The vulnerability was disclosed earlier this month by Horizon3.ai, which identified the flaw in SimpleHelp servers configured to use either generic OpenID Connect authentication or Azure Active Directory OpenID Connect integration. According to the researchers, the issue stems from the way SimpleHelp validates identity provider assertions, enabling attackers to create and authenticate as new Technician users without valid credentials. These accounts inherit administrative capabilities that include remote access to managed endpoints, script execution, and other privileged management functions. Horizon3.ai also noted that even deployments enforcing multi factor authentication for technicians remain vulnerable because newly created Technician accounts can register their own multi factor authentication method during the initial login process. Blackpoint Cyber observed attackers successfully exploiting the vulnerability on a publicly accessible SimpleHelp server before using the trusted remote management channel to distribute TaskWeaver and Djinn Stealer throughout the affected environment. TaskWeaver operates as a heavily obfuscated Node.js loader delivered as jquery.js and executed through node.exe. Rather than containing a fixed set of commands, the malware establishes encrypted communications with a remote server and retrieves additional JavaScript payloads, allowing attackers to extend functionality as required during an intrusion.
The final payload, Djinn Stealer, is a cross platform information stealing malware designed to operate on Windows, macOS, and Linux systems. Researchers found that it targets a broad range of credentials and sensitive information from enterprise environments. The malware collects browser credentials, browsing history, bookmarks, SSH keys, Git configuration data, Docker authentication information, GitHub CLI data, package registry credentials, and authentication details associated with major cloud platforms including Amazon Web Services, Microsoft Azure, Google Cloud, Oracle Cloud Infrastructure, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, and Consul. It also seeks authentication data from development tools and package managers such as npm, Yarn, Maven, Gradle, Composer, Cargo, NuGet, pip, PyPI, Conda, Bun, and Scala Build Tool. The malware further targets AI development platforms including Anthropic Claude, Google Gemini, OpenAI Codex, Cline, OpenCode, and Kilo, while also harvesting cryptocurrency wallet information linked to Bitcoin, Ethereum, Litecoin, Dogecoin, Monero, Zcash, Exodus, Atomic Wallet, and Electrum. On Linux systems, Djinn Stealer additionally attempts to extract sensitive information from running process files that may contain passwords, API keys, access tokens, database connection strings, and other confidential values passed through command line arguments or environment variables.
After gathering the stolen information, the malware packages the data into a TAR archive, compresses it using GZIP, encrypts it with AES 256 GCM encryption secured by an embedded RSA 2048 public key, and transmits the archive to attacker controlled infrastructure. Blackpoint Cyber stated that the campaign highlights how attackers are increasingly focusing on environments where artificial intelligence tools, cloud platforms, development infrastructure, and enterprise management systems intersect, allowing them to obtain access to a wide range of valuable credentials through a single compromise. Researchers warned that credentials stolen from developer or administrator workstations can continue providing access to production infrastructure, software development pipelines, source code repositories, cloud environments, deployment platforms, and customer systems long after the original infected endpoint has been isolated. Due to confirmed active exploitation, Cybersecurity and Infrastructure Security Agency has added CVE 2026 48558 to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to apply the available security updates by July 2, 2026.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.