Critical Vulnerability in SimpleHelp Platform Exploited to Deploy New Stealer Malware
A critical vulnerability in the SimpleHelp platform has been exploited by hackers to deploy a new cross-platform information stealer known as Djinn Stealer. The vulnerability, identified as CVE-2026-48558, allows attackers to create highly privileged technician accounts without authentication, giving them full access to systems managed through the server.
The SimpleHelp platform is widely used by managed service providers (MSPs), IT departments, helpdesks, and system administrators for remote monitoring and management (RMM). According to researchers from Horizon3.ai, around 1,000 SimpleHelp servers exposed online were running a vulnerable configuration at the time of disclosure. The vulnerability can be exploited on servers using the OpenID Connect (OIDC) authentication protocol.
In an incident investigated by managed detection and response provider Blackpoint, a threat actor exploited the critical authentication bypass vulnerability to establish an authenticated technician session on an internet-facing SimpleHelp server. From there, they deployed the TaskWeaver malware loader and Djinn Stealer, which collected sensitive data from the compromised system. The investigation revealed that Djinn Stealer targeted a broad collection of developer and infrastructure credentials, including AI development tools, cloud provider credentials, identity services, deployment platforms, and more.
Djinn Stealer’s focus on AI development tools is particularly concerning, as these tools often rely on authorized access to external resources such as repositories, cloud accounts, databases, and APIs. By stealing credentials for these tools, attackers can gain access to the same downstream connections that developers have extended to their AI agents, allowing them to reach well beyond the AI service itself.
The researchers at Blackpoint warn that the stolen data is packed into a TAR archive, compressed with GZIP, and exfiltrated to the command-and-control (C2) server. The malware also attempts to read sensitive information from Linux systems, including secrets stored in virtual files.
This incident highlights the importance of keeping software up-to-date and implementing robust security measures to prevent exploitation of vulnerabilities like CVE-2026-48558. SimpleHelp users are advised to patch their servers immediately and review their configurations to ensure they are not vulnerable to this attack. Additionally, all developers and system administrators should be aware of the potential risks associated with AI development tools and take steps to secure their credentials and sensitive data.
In light of this incident, it is essential for organizations to prioritize security and regularly monitor their systems for signs of compromise. By staying vigilant and proactive in addressing vulnerabilities like CVE-2026-48558, we can reduce the risk of such attacks and protect our systems from exploitation by malicious actors.
Source: Bleeping Computer — 2026-06-29