"The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server," Blackpoint says.
CVE-2026-48558, SimpleHelp, and the OIDC attack surface
Earlier this month offensive security company Horizon3.ai published technical details for CVE-2026-48558, a critical authentication bypass in SimpleHelp that researchers said could be leveraged to create highly privileged technician accounts without authentication. The flaw is exploitable on SimpleHelp servers using the OpenID Connect (OIDC) authentication protocol, and Horizon3.ai reported that roughly 1,000 internet-exposed SimpleHelp instances were running a vulnerable configuration at the time of disclosure.
Blackpoint investigation: an operator, an RMM channel, and two new malware families
Managed detection and response provider Blackpoint investigated an incident in which a threat actor used the authentication bypass to establish an authenticated technician session on an internet-facing SimpleHelp server. According to Blackpoint’s Adversary Pursuit Group (APG), the intruder then deployed two previously undocumented malware components: a generic loader the researchers call TaskWeaver, and a cross-platform information stealer dubbed Djinn Stealer.
Blackpoint’s APG explicitly describes both pieces as new and not previously documented. The company traces initial delivery of TaskWeaver to an obfuscated JavaScript file named “jquery.js” downloaded from a temporary Cloudflare domain. That loader fingerprinted the compromised host, contacted command-and-control (C2) infrastructure, and fetched additional JavaScript modules for execution; one of those modules installed Djinn Stealer.
Djinn Stealer’s targets and collection chain
Djinn Stealer is built to run on Windows, macOS, and Linux and is configured to “collect in a single pass all the sensitive data it can find on a developer's machine,” Blackpoint reports. The malware emphasizes credentials and artifacts tied to software development, cloud operations, and AI tooling. Blackpoint lists targeted items that include:
- Cloud provider credentials, identity services, deployment platforms, and cloud management tools.
- Git configuration, GitHub CLI, SSH keys, Docker credentials, Helm, infrastructure-as-code tools (Terraform, Pulumi), secrets management solutions (HashiCorp Vault), and package manager credentials.
- Authentication data for package registries and build tools (npm, Yarn, pnpm, Cargo, Maven, Gradle, pip, NuGet).
- Local configuration files, authentication tokens, session data, and Model Context Protocol (MCP) configuration for AI coding assistants (Claude, Gemini, Codex, Cline, OpenCode, and Kilo).
- Cryptocurrency wallets and keystores for multiple desktop clients (Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, Electrum).
- Browser data, shell history, SSH configuration, PGP keys, database client configuration, operating system information, and other user files.
On Linux hosts, the malware also attempts to read /proc/<pid>/cmdline and /proc/<pid>/environ to extract process command lines and environment variables that can contain API keys, session tokens, and other secrets. Before exfiltration Djinn Stealer bundles collected artifacts into a TAR archive, compresses it with GZIP, and encrypts the package with AES-256-GCM using a key protected by an RSA-2048 public key embedded in TaskWeaver.
Why developer and AI-tooling credentials matter
Blackpoint emphasizes the particular danger of credentials tied to AI development tooling. “Many of these tools rely on the Model Context Protocol (MCP) to connect an AI assistant to external tools and data on the developer's behalf,” the researchers explain. They note that MCP settings and tokens are stored in files such as ~/.claude/mcp.json, and stealing those files can allow an attacker to “inherit the AI assistant's authorized access to repositories, cloud resources, databases, and APIs,” reaching beyond the AI service itself.
Immediate actions and indicators of compromise
Blackpoint’s report includes indicators of compromise observed during the intrusion: file hashes for the TaskWeaver loader and Djinn Stealer, network infrastructure used in the operation, and host and behavioral indicators. The company frames active exploitation of CVE-2026-48558 as an urgent call to action for administrators running SimpleHelp.
Concrete recommendations drawn from the investigation are narrow and specific: prioritize updating SimpleHelp instances to the latest versions; invalidate any technician sessions you don’t recognize; and, if a breach is confirmed, rotate all credentials and API keys. Blackpoint’s report supplies the IoCs organizations can use to hunt for the loader and stealer in their environments.
This intrusion demonstrates how a single authentication bypass on a trusted remote monitoring and management platform can provide a “trusted administrative channel” that operators use to transfer files and execute commands across managed systems. For any organization relying on SimpleHelp for MSP, helpdesk, or systems administration functions, the combination of CVE-2026-48558 and a cross-platform stealer focused on developer tooling creates a narrow window in which otherwise segregated credentials and toolchains can be quietly harvested and weaponized.
