An unknown threat actor is actively exploiting a critical authentication bypass vulnerability in SimpleHelp, deploying two previously undocumented malware families: a tool tracked as TaskWeaver and an infostealer called Djinn Stealer.
The Vulnerability
The flaw at the center of the attacks is CVE-2026-48558, which carries a maximum CVSS score of 10.0. The vulnerability resides in SimpleHelp’s OpenID Connect (OIDC) authentication flow and can be exploited by unauthenticated attackers, making it a high-value target for initial access.
Malware Delivered
Once attackers gain access via the authentication bypass, they deploy two distinct payloads. TaskWeaver appears to serve as a post-exploitation framework or loader component, while Djinn Stealer is an infostealer focused on harvesting credentials. According to reporting from Dark Reading, Djinn Stealer specifically targets credentials associated with cloud services and AI platforms, positioning it as a tool designed to pivot from compromised endpoints into broader development and administrative environments.
Why This Matters
SimpleHelp is a remote support and access platform, meaning compromised instances can provide attackers with direct footholds into managed endpoints across an organization. The combination of a perfect-severity authentication bypass with credential-stealing malware that targets cloud and AI service tokens is particularly dangerous for enterprises running hybrid or cloud-native infrastructure.
- CVE-2026-48558: Authentication bypass in the OIDC flow, CVSS 10.0
- TaskWeaver: Previously unreported malware delivered post-exploitation
- Djinn Stealer: Infostealer targeting cloud and AI credentials
Recommended Actions
Organizations running SimpleHelp should prioritize patching CVE-2026-48558 immediately given its maximum severity rating and confirmed active exploitation. Security teams should also audit logs for unauthorized OIDC authentication attempts and review stored credentials for cloud and AI services on any potentially exposed systems.
