SimpleHelp CVE-2026-48558 Exploited to Deploy TaskWeaver, Djinn Stealer

An unknown threat actor is actively exploiting CVE-2026-48558, a maximum-severity (CVSS 10.0) authentication bypass flaw in SimpleHelp's OpenID Connect (OIDC) flow, to deploy two previously undocumented malware families: TaskWeaver and Djinn Stealer. Discovered by Horizon3.ai researcher Zach Hanley, the vulnerability allows an unauthenticated attacker to forge an identity token and obtain a fully authenticated "Technician" session on publicly exposed SimpleHelp servers configured for generic OIDC or Azure AD OIDC. Even on instances enforcing multi-factor authentication, the flaw enables self-registration of an MFA method on first login, effectively neutralizing that control layer.

Once a compromised session is established on the Remote Monitoring and Management (RMM) platform, attackers leverage the trusted administrative channel to transfer files and execute commands on managed endpoints. Blackpoint Cyber researchers Nevan Beal and Sam Decker documented the first-stage payload, TaskWeaver, a heavily obfuscated Node.js loader delivered as jquery.js and executed through node.exe. Rather than carrying a fixed set of post-exploitation commands, TaskWeaver implements an encrypted, reusable delivery channel that fingerprints the host and communicates with a hardcoded command-and-control endpoint at a.dev-tunnels[.]com, fetching and executing additional JavaScript payloads with full Node.js runtime privileges.

The second-stage payload, Djinn Stealer, is a cross-platform infostealer engineered to harvest credentials from Windows, macOS, and Linux systems. Its targeting scope is unusually broad, covering cloud platforms, source control repositories, package registries, infrastructure-as-code tooling, AI development assistants, browsers, SSH keys, and cryptocurrency wallets. With the ability to siphon data from AI development environments alongside traditional credential stores, the stealer is purpose-built for today's hybrid enterprise and developer workstation.

Administrators running publicly accessible SimpleHelp instances should immediately verify their OIDC configuration and apply the vendor patch addressing CVE-2026-48558. In the meantime, security teams should audit technician accounts for signs of unauthorized MFA enrollment and review RMM-managed endpoints for outbound connections to dev-tunnels[.]com. Users concerned about credential exposure can verify their accounts with the email breach checker and run the privacy checkup to identify weak spots in their personal security posture. As supply-chain attacks against RMM platforms continue to grow, defenders should treat any new technician session on an internet-facing server as a high-priority investigation trigger.