A critical authentication bypass vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software is being actively exploited in the wild.
This enables attackers to deploy advanced malware, including a newly identified loader, TaskWeaver, and an information-stealing tool, Djinn Stealer.
Security researchers from Blackpoint’s Adversary Pursuit Group (APG) confirmed that the intrusion chain begins with the exploitation of CVE-2026-48558.
This flaw affects the OpenID Connect (OIDC) authentication process, allowing attackers to bypass authentication by submitting forged identity tokens that lack proper signature validation.
SimpleHelp Authentication Bypass Flaw Exploited
As a result, threat actors can gain unauthorized technician-level access to exposed SimpleHelp servers. Once inside, attackers leverage the trusted RMM environment to execute malicious actions that appear legitimate.
In the observed attacks, adversaries used SimpleHelp’s built-in capabilities to transfer files and remotely execute commands across managed systems, significantly increasing the blast radius.
The initial payload deployed is TaskWeaver, a heavily obfuscated Node. js-based loader disguised as a harmless file named jquery.js.
Despite its name, the file is unrelated to the legitimate jQuery library. It is executed via node.exe and acts as a flexible delivery mechanism rather than a traditional malware payload.
TaskWeaver establishes encrypted communication with attacker-controlled infrastructure and dynamically retrieves additional payloads.
It uses a combination of AES-256-GCM and RSA-2048 encryption to secure its command-and-control (C2) traffic, making detection and analysis more difficult.
Instead of embedding fixed commands, TaskWeaver operates as a modular loader that can execute arbitrary JavaScript payloads, effectively allowing attackers to adapt their operations in real time.
The second-stage payload identified in this campaign is Djinn Stealer, a cross-platform information stealer targeting Windows, macOS, and Linux systems.
Djinn is designed to harvest a wide range of sensitive data, including: Cloud service credentials (AWS, Azure, Google Cloud). Source control and developer tokens (GitHub, Git configs).
Package registry credentials (npm, PyPI, Maven), Infrastructure secrets and SSH keys, Browser data and session tokens, Cryptocurrency wallets, AI development tool credentials.
Notably, the theft of AI assistant tokens presents a significant risk. These tokens often grant access to repositories, databases, and cloud environments.
Attackers can inherit the same permissions granted to AI tools, extending compromise far beyond the initially infected system. The attack demonstrates how a single authentication bypass can cascade into a large-scale breach.
By abusing a trusted RMM platform, attackers gain centralized access to multiple endpoints and customer environments, particularly in managed service provider (MSP) scenarios.
Indicators of compromise (IoCs) associated with this campaign include suspicious Node.js execution (node.exe running jquery.js), connections to trycloudflare domains, and C2 communication with lookalike domains such as dev-tunnels variants.
Djinn Stealer also generates reconnaissance files, such as env.json and processList.txt, during execution.
Indicators of Compromise (IoCs)
| Category | Indicator | Value |
|---|---|---|
| File | TaskWeaver | jquery.js |
| TaskWeaver SHA-256 | 00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c | |
| Djinn Stealer | upload | |
| Djinn Stealer SHA-256* | f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc | |
| Network | Loader staging | *.trycloudflare[.]com |
| TaskWeaver C2 | a[.]dev-tunnels[.]com | |
| TaskWeaver URI | POST /api/<base64url>.<base64url>.<base64url> | |
| Djinn Stealer exfiltration | 96[.]126[.]130[.]126:58942 | |
| User-Agent | telemetry-client/1.0 | |
| Host & Behavioral | Execution | node.exe <path>\jquery.js |
| Reconnaissance artifacts | processList.txt, linux-process-env.json, env.json, telemetry.json, user-dirs.txt |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Following active exploitation reports, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-48558 to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgency of remediation.
Blackpoint APG recommends immediately patching SimpleHelp, restricting internet exposure, enforcing strong authentication, and rotating potentially exposed credentials.
Organizations should also treat any credentials accessible from compromised systems as fully compromised. This campaign highlights a growing trend in cyberattacks where initial access is only the first step.
The real objective is to steal credentials and tokens that enable persistent, downstream access across cloud platforms, development pipelines, and enterprise infrastructure.
