SimpleHelp bug CVE-2026-48558 used to deploy Djinn Stealer malware

▼ Summary
– Attackers are exploiting CVE-2026-48558, a patched authentication bypass vulnerability in SimpleHelp RMM, to deploy the novel Djinn Stealer malware.
– The malware targets Windows, macOS, and Linux systems, stealing credentials from cloud platforms, source control, AI assistants, SSH, and cryptocurrency wallets.
– Exploitation involves using a SimpleHelp technician session to deploy a heavily obfuscated JavaScript file (jquery.js) as a loader, which then delivers Djinn Stealer.
– Djinn Stealer collects a wide range of sensitive data, including cloud service configs, GitHub CLI data, package registry credentials, AI tool data, and cryptocurrency wallet files.
– CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog, requiring US federal agencies to patch by July 7 and perform forensic triage.
Attackers are actively weaponizing CVE-2026-48558, a recently patched authentication bypass vulnerability in SimpleHelp RMM, to deploy a new information-stealing malware dubbed Djinn Stealer across compromised systems. The campaign targets Windows, macOS, and Linux environments, with the malware designed to harvest a broad spectrum of sensitive credentials.
According to researchers at BlackPoint Cyber, Djinn Stealer “collects credentials associated with cloud platforms, source control, package registries, infrastructure tooling, AI development assistants, browsers, SSH, and cryptocurrency wallets.” The discovery highlights how trusted remote management tools can be turned into vectors for large-scale data theft.
CVE-2026-48558 was initially identified by Horizon3.ai researchers and publicly disclosed on June 12, 2026, accompanied by a technical write-up and indicators of compromise. Just over two weeks later, on June 29, BlackPoint Cyber’s Adversary Pursuit Group issued an urgent warning: attackers had already begun exploiting the flaw. By bypassing SimpleHelp’s OIDC authentication on an internet-facing server, they obtained a technician session. This access allowed them to transfer files and execute malware remotely across managed systems.
Rather than relying on conventional phishing attachments or standalone exploits, the operators used the RMM platform itself as a delivery mechanism. “This provided a trusted execution path and allowed activity to inherit the appearance of an authorized support session,” explained researchers Nevan Beal and Sam Decker. The attacker deployed a heavily obfuscated JavaScript file named jquery.js, retrieved from a temporary Cloudflare-hosted URL and executed through node.exe. The 1.08 MB, single-line payload was designed to mimic the legitimate jQuery library but was in fact a Node.js loader.
That loader, called TaskWeaver, performed host fingerprinting and relayed system information back to the attackers. Based on that data, the final payload,Djinn Stealer,was delivered. BlackPoint Cyber noted that Djinn Stealer “reuses TaskWeaver’s obfuscation framework and embeds the identical RSA public key, firmly linking the two together.”
Djinn Stealer targets an extensive array of sensitive information, including:
- Cloud platform credentials for AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, Consul, and more.Researchers did not confirm whether the compromised SimpleHelp instance belonged to a managed services provider, but they strongly advised MSPs to patch and restrict SimpleHelp immediately and investigate for signs of prior exploitation.”The most damaging outcome may occur after the original endpoint has been isolated,” they warned. “A stolen cloud key, package publishing token, source-control session, SSH key, or AI integration credential can preserve access independently of the compromised RMM server. These credentials can allow an attacker to re-enter the environment through trusted services, alter software, access production data, or pivot into customer tenants without redeploying the original malware.”CISA has added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog. Under the BOD 26-04 directive, U.S. federal civilian agencies are required to apply mitigations by July 7 and conduct forensic triage on affected systems.