Threat actors are exploiting a known security flaw in the SimpleHelp remote monitoring and management (RMM) software to drop two previously unknown pieces of malware that can compromise a broad range of systems and steal massive amounts of sensitive data.
Researchers with Blackpoint Cyber’s Adversary Pursuit Group said they detected an intrusion in which the adversaries abused a critical authentication bypass vulnerability — tracked as CVE-2026-48558 — to obtain an authenticated technician session without valid credentials on an internet-facing SimpleHelp server.
“The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server,” Nevan Beal, principal managed detection and response (MDR) analyst with Blackpoint, and Sam Decker, threat intelligence engineer, wrote in a report.
The bad actors followed that by deploying TaskWeaver, a modular and highly obfuscated Node.js loader that they used to fingerprint the compromised developer system and establish communications with the command-and-control (C2) infrastructure. From there, they retrieved and executed other JavaScript payloads that came with full access to the Node.js runtime.
Enter Djinn Stealer
The second-stage payload TaskWeaver delivered was Djinn Stealer, malware that in a single pass grabbed everything of value, including a broad range of developer information.
Key among them were tokens from AI coding assistants, which essentially can give attackers everything the AI can access, from repositories to databases to cloud accounts, which means the data breach can stretch farther than the AI itself. The credentials for AI development tools give attackers “a foothold to tamper with the very pipelines teams are building on,” they wrote.
Djinn Stealer came with what they called “an unusually broad set of collection rules for AI-assisted development tools.” It targeted configuration, authentication, session, and project data from Anthropic’s Claude model, Google’s Gemini, and OpenAI’s Codex, as well as open source code assistants Cline, OpenCode, and Kilo.
Container, Repository Info Targeted
“Developer and deployment targets included GitHub CLI data, Git configuration, SSH keys, Docker authentication, Helm registry information, S3 and MinIO client configurations, and Subversion credentials,” the researchers wrote.
Other targets were package registry and build-tool credentials for high-profile code repositories like npm and PyPI, as well as pnpm, Yarn, NuGet, Cargo, Composer, Maven, Gradle, pip, Conda, Bun, Ivy, and Scala Build Tool. Such credentials can give bad actors access to private packages, alter dependencies, or publish malicious software under a trusted organization or developer identity, they wrote.
“Many of these tools rely on the Model Context Protocol (MCP) to connect an AI assistant to external tools and data on the developer’s behalf, including source repositories, databases, cloud accounts, and internal APIs,” the researchers wrote.
Cloud Credentials Stolen
Cloud and infrastructure information – think cloud credentials, SSH keys, and infrastructure secrets – also were targeted, as was access that controls the software, like source control tokens and package registry authentication, which Beal and Decker wrote opens an avenue to possible supply-chain compromise.
Other information Djinn Stealer grabs include “cryptocurrency wallets, and the browser data, saved sessions, and shell history flowing through the system,” they wrote.
“The breadth of the targeted data expanded the compromise beyond the RMM environment, creating potential exposure across cloud services, identity systems, software supply chains, AI development tooling and multiple customer tenants,” they added.
RMM Software a Gateway to Multiple Systems
The attack reflects the trend in attackers targeting RMM software, which gives them a single point through which they can gain privileged administrative access to multiple machines at the same time and, because RMMs are legitimate tools, lets them sneak their activity in with normal network traffic and bypass security controls.
In its 2026 Cyber Threat Report released earlier this year, Huntress researchers found that the abuse of RMM tools last year jumped year-over-year by 277% and accounted for 24% of the incidents the researchers observed.
The security flaw targeted by the adversaries impacts the OpenID Connect authentication process in some SimpleHelp deployments. Servers with OIDC accept an identity token without verifying the cryptographic signature, which allows the attacker to establish an authenticated technician session.
After deploying TaskWeaver, Djinn Stealer comes in and reuses TaskWeaver’s obfuscation framework, embedding the same RSA public key and linking the two together, Beal and Decker wrote. Djinn Stealer targeted Windows, macOS, and Linux systems.
‘Beyond Conventional Browser Credential Theft’
“Djinn Stealer’s collection rules extended far beyond conventional browser credential theft,” the researchers wrote. “It searched for configuration and authentication data associated with AWS [Amazon Web Services], Azure, Google Cloud, Oracle Cloud Infrastructure, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, Consul, and numerous additional cloud services.”
The crypto wallets in Djinn Stealer’s crosshairs range from Bitcoin and Dogecoin to Monero, Ethereum and others.
“This intrusion demonstrates how quickly a vulnerability in trusted management infrastructure can move beyond the affected server,” Beal and Decker wrote. “Exploitation of CVE-2026-48558 did not merely provide access to a SimpleHelp console. It gave the attacker a legitimate administrative pathway into managed systems. … The most damaging outcome may therefore occur after the original endpoint has been isolated.”