TL;DR
- what: An unknown threat actor is exploiting CVE-2026-48558, a CVSS 10.0 OIDC authentication bypass in SimpleHelp RMM, to forge fully authenticated Technician sessions and push the TaskWeaver loader and Djinn Stealer.
- impact: A single auth bypass becomes a trusted admin channel into everything managed endpoints can reach, with Djinn siphoning cloud, source-control, AI-assistant, SSH, and cryptocurrency credentials across Windows, macOS, and Linux.
- fix: Patch SimpleHelp per the vendor fix for CVE-2026-48558 before the July 2, 2026 CISA KEV deadline, audit OIDC and Technician accounts, and rotate any credentials reachable from managed hosts.
- who: Organizations running internet-facing SimpleHelp servers with generic OIDC or Azure AD OIDC authentication enabled, plus everyone whose credentials live on the endpoints those servers manage.
An unknown threat actor is actively exploiting CVE-2026-48558, a CVSS 10.0 authentication bypass in SimpleHelp, to take over internet-facing RMM servers and deploy two previously unreported malware families: a Node.js loader called TaskWeaver and a cross-platform infostealer called Djinn. CISA has added the flaw to its Known Exploited Vulnerabilities catalog, giving federal agencies until July 2, 2026 to patch.
The vulnerability lives in SimpleHelp's OpenID Connect (OIDC) flow. An unauthenticated attacker submits a forged token containing arbitrary identity claims and receives a fully authenticated "Technician" session. By default that Technician can remote into managed endpoints, execute scripts, and perform privileged management activities. In short, one forged token equals hands-on-keyboard access to every system the server manages.
Why the auth bypass is total
Horizon3.ai, which discovered the flaw, says it affects servers configured for either generic OIDC or Azure AD OIDC and stems from how SimpleHelp validates IdP assertions. Researcher Zach Hanley notes the attacker can register as a brand-new Technician user out of thin air. MFA does not save you: even when the server enforces MFA for technicians, first-login self-registration of an MFA method lets the attacker enroll their own factor and sail through.
⚠️ MFA does not stop this — Because technicians self-register their MFA method on first login, an attacker creating a fresh Technician account simply enrolls their own factor. Patching is the control, not MFA.
The intrusion chain
In the campaign documented by Blackpoint Cyber, the actor exploited a publicly accessible SimpleHelp server to obtain an authenticated Technician session, then used that trusted administrative channel to transfer files and execute commands on managed systems. TaskWeaver arrives as a heavily obfuscated Node.js loader disguised as jquery.js and runs through node.exe. Rather than a fixed command set, it implements an encrypted, reusable payload delivery channel: it fingerprints the host, establishes encrypted comms with a.dev-tunnels[.]com, and pulls down additional JavaScript with elevated access to the Node.js runtime.
Djinn Stealer: built to loot developers
The second stage, Djinn Stealer, runs on Windows, macOS, and Linux and is engineered for engineering shops. It targets browser credentials, history, and bookmarks, then moves into infrastructure tooling and developer secrets across a sweeping list of platforms.
- Cloud and infra: AWS, Azure, Google Cloud, Oracle Cloud, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, Consul
- Source control and ops: GitHub CLI, Git config, SSH keys, Docker auth, Helm registries, S3/MinIO configs, Subversion
- Package registries: npm, pnpm, Yarn, NuGet, Cargo, Composer, Maven, Gradle, pip, PyPI, Conda, Bun, Ivy, sbt
- AI assistants: Anthropic Claude, Google Gemini, OpenAI Codex, Cline, OpenCode, Kilo
- Crypto wallets: Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, Electrum
On Linux, the malware also reads /proc//cmdline and /proc//environ to scrape passwords, API keys, access tokens, and database connection strings passed through command-line arguments or environment variables. Collected data is packed into a TAR archive, GZIP-compressed, encrypted with an AES-256-GCM key wrapped by an embedded RSA-2048 public key, and exfiltrated to 96.126.130[.]126:58942.
The AI angle and the real blast radius
The deliberate targeting of Claude, Gemini, Codex, Cline, and other AI development assistants signals where attackers see value now: AI tooling is embedded across enterprise workflows and carries privileges that reach sensitive data. But the broader lesson is older. As Blackpoint researchers put it, "a single authentication bypass became a pathway into everything the managed systems could reach." Credentials lifted from a developer or admin workstation open the door to production infrastructure, build pipelines, repos, deployment platforms, cloud tenants, and customer environments, long after the original endpoint is contained.
What to do now — Patch SimpleHelp for CVE-2026-48558 immediately, ahead of the July 2 KEV deadline. Pull internet-facing RMM consoles behind a VPN or allowlist, audit OIDC config and the Technician user list for unrecognized accounts, hunt for node.exe running jquery.js and connections to a.dev-tunnels[.]com or 96.126.130[.]126, and assume credential compromise: rotate cloud, Git, SSH, AI-tool, and registry secrets reachable from managed hosts.
RMM platforms are high-value precisely because they are trusted to reach everything. A CVSS 10.0 bypass on an internet-facing one is not a patch-next-cycle item. Treat any unpatched, OIDC-enabled SimpleHelp server as already compromised until proven otherwise.
Originally published on RedEye Threat Intelligence.
Top comments (0)