CVE-2026-48558 (CVSS score: 10.0) — a maximum-severity OpenID Connect authentication bypass in SimpleHelp — is being actively exploited to turn remote monitoring servers into distribution points for two new malware families, according to researchers.
CVE-2026-48558: how an OIDC bypass yielded a "Technician" session
Horizon3.ai, which discovered the flaw, reported that the vulnerability affects SimpleHelp servers configured to use either generic OIDC or Azure AD OIDC and "stems from the manner in which SimpleHelp validates the IdP assertions." An unauthenticated attacker can exploit the issue to obtain a fully authenticated "Technician" session by submitting a forged token containing arbitrary identity claims, the advisory said. Horizon3.ai security researcher Zach Hanley noted that "in many SimpleHelp deployments that have OIDC-type authentication enabled, an unauthenticated attacker can create and authenticate as a new 'Technician' user." Because technicians can self-register an MFA method on first login, the bypass can also evade environments that nominally enforce multifactor authentication.
Attack chain observed by Blackpoint Cyber: turning RMM into a launchpad
Blackpoint Cyber documented an intrusion where a threat actor used the authenticated Technician session on a publicly accessible SimpleHelp server to deploy additional tooling. "The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server," researchers Nevan Beal and Sam Decker said. The initial loader was delivered as a file named jquery.js and executed through node.exe, establishing a foothold on managed endpoints.
TaskWeaver: a modular, obfuscated Node.js loader and delivery channel
Blackpoint described TaskWeaver as "a heavily obfuscated Node.js loader" that implements an encrypted, reusable payload delivery channel rather than a fixed set of post-exploitation commands. TaskWeaver fingerprints the host, establishes encrypted communications with a remote server identified as "a.dev-tunnels[.]com," and retrieves additional JavaScript payloads with elevated access to the Node.js runtime. The second-stage payload observed in the campaign is a cross-platform information stealer named Djinn Stealer.
Djinn Stealer: the breadth of data targeted
Djinn Stealer is engineered to harvest a wide array of credentials and configuration artifacts from Windows, macOS, and Linux hosts. Blackpoint's analysis lists targeted categories and specific platforms and tools, including:
- Web browser credentials, history, and bookmarks
- Cloud platform and identity tooling: AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, and Consul
- Source control and development artifacts: GitHub CLI data, Git configuration, SSH keys, Docker authentication, Helm registry information, Subversion credentials
- Package registries and language ecosystems: npm, pnpm, Yarn, NuGet, Cargo, Composer, Maven, Gradle, pip, PyPI, Conda, Bun, Ivy, and Scala Build Tool
- AI development assistants and related data: Anthropic Claude, Google Gemini, OpenAI Codex, Cline, OpenCode, and Kilo
- Cryptocurrency wallets and keystores for Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and Electrum
On Linux, the malware also attempts to read process virtual files such as "/proc/<pid>/cmdline" and "/proc/<pid>/environ," which can contain command-line arguments and environment variables that may hold secrets like API keys or tokens.
Data handling and exfiltration: layered encryption to an IP endpoint
Once collected, Djinn Stealer packs the harvested information into a TAR archive, compresses it with GZIP, and encrypts it using AES-256-GCM with a key protected by an RSA-2048 public key embedded in TaskWeaver. The encrypted package is then exfiltrated to attacker-controlled infrastructure identified by researchers as "96.126.130[.]126:58942". The campaign illustrates an end-to-end chain from authentication bypass to data extraction across multiple host operating systems.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Administrators of SimpleHelp servers using OIDC or Azure AD OIDC should treat unauthenticated token validation as a high-priority control failure; the observed exploitation allowed creation of an authenticated Technician identity that could push files and run commands across managed endpoints.
- Policymakers and federal agencies: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-48558 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply fixes by July 2, 2026.
- Affected enterprises and procurement leaders: The incident demonstrates how compromise of a trusted Remote Monitoring and Management (RMM) platform can provide "a pathway into everything the managed systems could reach," including cloud tenants, build pipelines, and AI tools that store or process sensitive data.
The intrusion chain documented by Blackpoint Cyber and the earlier technical disclosure by Horizon3.ai together show how a single authentication validation flaw in an RMM product can cascade into cross-platform credential theft and long-lived access. With federal remediation deadlines already in place, attention will focus on patching, tightening IdP assertion handling, and reviewing the privileged capabilities granted to newly registered technician accounts.
Original reporting: https://thehackernews.com/2026/06/attackers-exploit-simplehelp-cve-2026.html
