SimpleHelp Auth Bypass Exploited to Deploy Djinn Stealer and TaskWeaver

Threat actors are exploiting a critical authentication bypass vulnerability in SimpleHelp, tracked as CVE-2026-48558, to deploy a newly documented information stealer called Djinn Stealer alongside a malware loader named TaskWeaver. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on June 29, 2026, citing evidence of active exploitation.

The Vulnerability

CVE-2026-48558 affects SimpleHelp servers configured to use the OpenID Connect (OIDC) authentication protocol. Offensive security firm Horizon3.ai disclosed the flaw earlier in June, explaining that it allows unauthenticated attackers to create highly privileged technician accounts. At the time of disclosure, approximately 1,000 internet-exposed SimpleHelp servers were running a vulnerable configuration. SimpleHelp is widely used by managed service providers, IT departments, and helpdesks for remote monitoring and management.

Attack Chain

In an incident investigated by managed detection and response provider Blackpoint, attackers exploited the vulnerability to establish an authenticated technician session on an internet-facing SimpleHelp server. That foothold gave them a trusted administrative channel capable of transferring files and executing commands across all systems managed through the server.

The attackers then downloaded TaskWeaver, disguised as an obfuscated JavaScript file named jquery.js, from a temporary Cloudflare domain. TaskWeaver is a generic loader that fingerprints the compromised host and communicates with command-and-control infrastructure to receive and execute additional JavaScript modules. It subsequently installs Djinn Stealer on the target system.

What Djinn Stealer Collects

Djinn Stealer is a cross-platform infostealer supporting Windows, macOS, and Linux. Blackpoint’s Adversary Pursuit Group notes a particular focus on developer and AI development tooling. In a single collection pass, the malware targets:

• Cloud and infrastructure credentials: cloud provider keys, identity services, deployment platforms, Terraform, Pulumi, HashiCorp Vault, Helm, and Docker credentials.
• Source control and package registries: Git configuration, GitHub CLI, SSH keys, and authentication tokens for npm, Yarn, pnpm, Cargo, Maven, Gradle, pip, and NuGet.
• AI coding assistant configuration: Model Context Protocol (MCP) settings and session tokens for tools including Claude, Gemini, Codex, Cline, OpenCode, and Kilo, stored in files such as ~/.claude/mcp.json.
• Cryptocurrency wallets: keystores for Bitcoin, Litecoin, Dogecoin, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and Electrum desktop clients.
• System and browser data: shell history, SSH configuration, PGP keys, database client configuration, browser credentials, and general user files.

On Linux systems, the malware additionally reads /proc/<pid>/cmdline and /proc/<pid>/environ to extract secrets such as API keys, session tokens, and credentials from running process environments.

The MCP Risk

Blackpoint researchers highlight a compounding risk from the theft of MCP configuration data. Many AI coding assistants use MCP to connect to external resources including source repositories, cloud accounts, databases, and internal APIs on the developer’s behalf. Stealing those stored tokens grants an attacker the same downstream access the developer granted to their AI agent, potentially extending the breach well beyond the AI service itself.

Recommended Actions

Organizations running SimpleHelp should patch immediately, prioritizing servers exposed to the internet and those using OIDC authentication. Federal civilian agencies are required to remediate KEV catalog vulnerabilities under Binding Operational Directive 26-04. All organizations should also audit for signs of compromise prior to patching, as BOD 26-04 establishes expectations around checking whether attackers accessed systems before a patch was applied.