
Critical Vulnerability in SimpleHelp Actively Exploited: Large-Scale Data Theft Underway via TaskWeaver and Djinn Stealer Malware!
Another extremely dangerous threat has been discovered in the cybersecurity landscape. Unknown cybercriminals are actively exploiting the critical vulnerability CVE-2026-48558, found in the SimpleHelp Remote Monitoring and Management (RMM) platform, to deploy new malware strains named TaskWeaver and Djinn Stealer onto devices.
This vulnerability has a CVSS severity score of 10.0, placing it among the highest-risk vulnerabilities. According to experts, an attacker who successfully exploits this vulnerability can authenticate to the system as a “Technician” user with full privileges, without possessing any legitimate account credentials. As a result, they gain the ability to utilize remote management functions, transfer files to devices, execute commands, and launch malicious software.
The Nature of the Vulnerability
The issue stems from a flaw in the validation mechanism during the OpenID Connect (OIDC) authentication process. Due to this vulnerability, an unauthenticated attacker can create a token containing forged identification data, trick the system, and register themselves as a legitimate technical staff member.
One of the most concerning aspects is that even if multi-factor authentication (MFA) is enabled on the server for technical staff, this vulnerability allows attackers to bypass this protective mechanism. This is because the system permits new technician users to independently register their MFA method upon first login.
How Is the Attack Carried Out?
According to the analysis, attackers identify an Internet-accessible SimpleHelp server and exploit CVE-2026-48558 to bypass authentication. They then create a “Technician” session within the system and leverage the trusted management capabilities of the RMM platform.
As a result, attackers can:
- transfer files to managed devices;
- execute commands remotely;
- launch malicious software;
- download additional malicious payloads.
In this campaign, TaskWeaver is deployed first, followed by Djinn Stealer.
TaskWeaver — A Covert Loader
TaskWeaver is a heavily obfuscated Node.js-based loader. It is typically distributed under the name jquery.js and executed through the node.exe process.
This malware:
- collects system information;
- identifies device configuration;
- establishes encrypted communication with a remote command-and-control server;
- downloads and executes additional JavaScript payloads;
- dynamically loads subsequent malicious components.
This approach allows attackers to update the malicious code at any time and evade antivirus systems.
Djinn Stealer — A Comprehensive Data Stealer
The second stage, loaded by TaskWeaver, is Djinn Stealer, which targets Windows, Linux, and macOS operating systems.
The malware is designed to collect a wide range of confidential information belonging to users and administrators.
Specifically, it attempts to steal:
- login credentials and passwords stored in browsers;
- cookie files;
- browser history;
- bookmarks;
- SSH keys;
- Git configuration;
- GitHub CLI data;
- Docker authentication files;
- Helm registry data;
- configurations for cloud platforms — AWS, Microsoft Azure, Google Cloud, Oracle Cloud, Cloudflare, and others;
- authentication data for infrastructure tools such as Terraform, HashiCorp Vault, and Consul;
- tokens for package managers — npm, Yarn, pnpm, Maven, Gradle, pip, PyPI, Cargo, Composer, and others;
- project and authentication data for AI platforms and assistants;
- cryptocurrency wallets and their keys.
On Linux systems, the malware also checks the /proc/<pid>/cmdline and /proc/<pid>/environ files. These files often contain:
- API keys;
- access tokens;
- database connection strings;
- service passwords;
- secret environment variables.
How Is Stolen Data Transmitted?
All collected data is first packaged into TAR format, then compressed using the GZIP algorithm. After that, it is encrypted using the AES-256-GCM algorithm and protected with an RSA-2048 public key before being sent to servers controlled by the attackers.
This multi-stage encryption mechanism significantly complicates the detection of transmitted data through network monitoring tools.
AI Platforms Also Targeted
One notable feature of this campaign is the particular interest shown in modern artificial intelligence services.
Djinn Stealer searches for authentication and project data related to the following AI tools:
- Anthropic Claude;
- Google Gemini;
- OpenAI Codex;
- Cline;
- OpenCode;
- Kilo.
This indicates that attackers are targeting not only user accounts but also software development processes, code repositories, automated workflows, and enterprise AI services.
The Threat to Organizations
SimpleHelp is typically used for remote management of corporate infrastructure. Therefore, compromising a single RMM server can result in dozens or hundreds of client systems being placed at risk.
Using a single authentication token stored on an administrator’s computer, an attacker may gain access to:
- production environments;
- cloud infrastructure;
- CI/CD and DevOps systems;
- Git repositories;
- client infrastructures;
- internal corporate networks.
Thus, this vulnerability has a much broader impact than a simple authentication issue.
Protection Recommendations
Experts recommend taking the following measures as soon as possible:
- immediately update the SimpleHelp server to the latest version with security fixes released by the developer;
- urgently audit servers with OIDC authentication enabled;
- identify and remove unknown “Technician” accounts;
- analyze server and endpoint logs;
- check for unknown jquery.js files executed through Node.js processes;
- change passwords for all administrator and service accounts;
- rotate API keys and access tokens;
- regenerate SSH keys;
- conduct deep endpoint inspections using EDR/XDR solutions;
- manage RMM servers not through direct Internet exposure, but via VPN or networks protected on Zero Trust principles.
The CVE-2026-48558 vulnerability has once again demonstrated that a single authentication flaw in remote management platforms can pose a serious threat to an entire corporate infrastructure. The TaskWeaver and Djinn Stealer malware leverage this opportunity to steal not only user credentials and browser data but also confidential information related to cloud infrastructure, development environments, AI platforms, and cryptocurrency assets.
Therefore, it is critically important for organizations to regularly update their RMM platforms, strictly control authentication mechanisms, continuously monitor security incidents, and implement multi-layered protection measures based on Zero Trust principles.



