CyberSecurityBoardThreat Intel · CVEs · Products
Critical CVEs

SimpleHelp CVE-2026-48558 Exploited to Deploy TaskWeaver and Djinn Stealer Malware

June 30, 2026

An unknown threat actor is exploiting CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp (CVSS 10.0), to deliver two new malware families: TaskWeaver and Djinn Stealer. The flaw, discovered by Horizon3.ai, affects SimpleHelp servers using OpenID Connect (OIDC) or Azure AD OIDC, allowing unauthenticated attackers to forge tokens and obtain a fully authenticated Technician session. This session can bypass MFA and perform privileged actions like remote access and script execution.

Blackpoint Cyber reported that attackers used this access to deploy TaskWeaver, a heavily obfuscated Node.js loader delivered as jquery.js and executed via node.exe. TaskWeaver establishes encrypted communications with a remote server (a.dev-tunnels[.]com) and retrieves additional payloads. The second stage, Djinn Stealer, targets Windows, macOS, and Linux systems, harvesting credentials from cloud platforms (AWS, Azure, Google Cloud, Oracle Cloud, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, Consul), source control (GitHub CLI, Git, SSH, Docker, Helm, S3, MinIO, Subversion), package registries (npm, pnpm, Yarn, NuGet, Cargo, Composer, Maven, Gradle, pip, PyPI, Conda, Bun, Ivy, Scala Build Tool), AI development assistants (Anthropic Claude, Google Gemini, OpenAI Codex, Cline, OpenCode, Kilo), browsers, and cryptocurrency wallets (Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, Electrum). On Linux, it reads /proc/[pid]/cmdline and /proc/[pid]/environ for sensitive data.

Collected data is packed into a TAR archive, GZIP compressed, encrypted with AES-256-GCM (key protected by RSA-2048), and exfiltrated to 96.126.130[.]126:58942. The campaign highlights how attackers abuse AI-powered platforms and RMM tools to access sensitive enterprise data. CISA has added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by July 2, 2026.

CVEs: CVE-2026-48558, CVE-2026-20245

Attack groups: Unknown threat actor

Malware: TaskWeaver, Djinn Stealer

Companies: SimpleHelp, Blackpoint Cyber, Horizon3.ai, CISA

Products: SimpleHelp, TaskWeaver, Djinn Stealer