SimpleHelp Authentication Bypass Exploited in the Wild to Deploy TaskWeaver and Djinn Stealer

On 29 June 2026, CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog. The flaw is a critical SimpleHelp authentication bypass in the OIDC login flow. Attackers now use it in the wild to seize remote management servers and spread two new malware families.

TL;DR

CVE-2026-48558 lets an unauthenticated attacker forge an identity token and gain a SimpleHelp technician session. Blackpoint’s Adversary Pursuit Group confirmed active exploitation. The attacker then deployed a Node.js loader called TaskWeaver and a stealer named Djinn Stealer.

Why this SimpleHelp authentication bypass matters

SimpleHelp is a remote monitoring and management (RMM) tool. Managed service providers rely on it to administer many customer networks at once. Therefore, one compromised server can expose dozens of downstream environments.

The CVSS score reaches 10.0, the maximum. Researchers at Horizon3.ai found roughly 14,000 SimpleHelp servers exposed online. About 7.2% ran the vulnerable OIDC setup, which points to around 1,000 directly affected systems. Because the exploit needs no credentials, the barrier to entry stays very low.

How the attack works

The bug sits in how SimpleHelp checks OIDC identity tokens. The server accepts a token without verifying its cryptographic signature. As a result, an attacker can craft a token with arbitrary claims and log in as a technician.

That session grants full administrative reach. In the intrusion Blackpoint studied, the operator used the RMM channel to push a file named jquery.js, run through node.exe. Despite the name, the file had nothing to do with the jQuery library.

TaskWeaver: a stealthy Node.js loader

TaskWeaver is a heavily obfuscated Node.js loader. It fingerprints the host, then opens an encrypted channel to attacker infrastructure. Next, it pulls and runs further JavaScript with full runtime access.

The loader supports a single command, deliver. Yet that one command runs arbitrary code. So it can swap a stealer for a backdoor at any time, with no change to the loader itself.

Djinn Stealer: credential theft at scale

TaskWeaver delivered Djinn Stealer, a cross-platform stealer for Windows, macOS, and Linux. It hunts cloud keys, SSH keys, source-control tokens, package-registry logins, browser data, and cryptocurrency wallets.

Notably, Djinn also targets AI development tools such as Claude, Gemini, and Codex. Many of these tools use the Model Context Protocol to reach repositories, databases, and cloud accounts. Stealing those tokens hands an attacker the same access the developer gave the AI. Blackpoint documented the full chain in its intrusion analysis.

Response goes beyond the endpoint

Containment cannot stop at the infected machine. Stolen cloud keys, publishing tokens, and SSH keys keep working after cleanup. An attacker can re-enter through trusted services long after the RMM server is fixed. Therefore, effective response follows every credential the host could reach.

Affected versions

The flaw affects SimpleHelp 5.5.15 and earlier, plus all 6.0 pre-release builds. Only servers configured for OIDC authentication face risk. Both generic OIDC and Azure AD OIDC qualify.

Exploitation status

This is confirmed exploitation in the wild, not theory. Earlier advisories reported no active abuse. That picture changed when Blackpoint observed a real intrusion that used the flaw. Following that disclosure, CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog on 29 June 2026. Federal agencies must patch by 2 July 2026.

Patch and mitigation

SimpleHelp fixed the issue on 9 June 2026. Update to version 5.5.16 or 6.0RC2 right away. Then remove vulnerable servers from direct internet exposure until you finish remediation.

If you cannot patch at once, restrict technician logins to trusted IP addresses. Next, review server logs for unknown technician accounts, OIDC changes, and logins without a matching support ticket. Finally, treat any credential reachable from a managed host as exposed, and rotate it. Watch for RMM software that launches Node.js from temporary or user-writable folders, since that pattern signals this attack.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.