Attackers are exploiting CVE-2026-48558, a recently patched authentication bypass vulnerability in SimpleHelp RMM, to drop the novel Djinn Stealer malware on victim computers.
The malware is capable of targeting Windows, macOS, and Linux systems, and “collects credentials associated with cloud platforms, source control, package registries, infrastructure tooling, AI development assistants, browsers, SSH, and cryptocurrency wallets,” BlackPoint Cyber’s researchers discovered.
CVE-2026-48558 exploited
SimpleHelp is a remote monitoring and management (RMM) tool popular with managed services providers (MSPs) and organizations’ internal IT help desks.
CVE-2026-48558 was discovered by Horizon3.ai researchers and publicly disclosed on June 12, 2026, when they published a write-up with some details and indicators of compromise to look out for.
On June 29, researchers with BlackPoint Cyber’s Adversary Pursuit Group sounded the alarm: attackers have been using CVE-2026-48558 to bypass SimpleHelp OIDC authentication on an internet-facing SimpleHelp server.
They obtained a technician session and used it to transfer files and remotely execute malware across managed systems.
“Rather than deploying malware through a conventional phishing attachment or standalone exploit, the operator used the RMM platform to retrieve and launch the next stage of the intrusion. This provided a trusted execution path and allowed activity to inherit the appearance of an authorized support session,” researchers Nevan Beal and Sam Decker explained.
“The actor leveraged this access to mass deploy a heavily obfuscated JavaScript file named jquery.js, retrieved from a temporary Cloudflare hosted URL and executed through node.exe. The filename was selected to resemble the legitimate jQuery library, but the file was a 1.08 MB, single line, heavily obfuscated Node.js payload.”
The payload was TaskWeaver, a loader that “fingerprinted” the host and sent the information to the attackers, so they can tailor the delivery of the final payload: the Djinn Stealer, which “reuses TaskWeaver’s obfuscation framework and embeds the identical RSA public key, firmly linking the two together.”
Sensitive information theft
Djinn Stealer goes after:
- Configuration and authentication data associated with a wide variety of cloud services: AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, Consul, and more.
- GitHub CLI data, Git configuration, SSH keys, Docker authentication, Helm registry information, S3 and MinIO client configurations, and Subversion credentials
- Package registry and build-tool credentials for npm, pnpm, Yarn, NuGet, Cargo, Composer, Maven, Gradle, pip, PyPI, Conda, Bun, Ivy, and Scala Build Tool
- Configuration, authentication, session, and project data associated with Claude, Gemini, Codex, Cline, OpenCode, and Kilo
- Cryptocurrency wallets and keystores associated with Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and Electrum
- Browser history, bookmarks, shell history, database client files, PGP data, SSH configuration, and operating system information
They did not say whether the compromised SimpleHelp instance belonged to a MSP, but advised MSPs to patch and restrict SimpleHelp immediately, and investigate for prior exploitation.
“The most damaging outcome may (…) occur after the original endpoint has been isolated,” they added.
“A stolen cloud key, package publishing token, source-control session, SSH key, or AI integration credential can preserve access independently of the compromised RMM server. These credentials can allow an attacker to re-enter the environment through trusted services, alter software, access production data, or pivot into customer tenants without redeploying the original malware.”
CISA has added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog and, based to the BOD 26-04 directive, instructed US federal civilian agencies to apply mitigations by July 7 and perform forensic triage on affected systems.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
