**Malware Targets Cloud and AI Credentials in Sneaky Attack**
A sophisticated malware campaign has been uncovered, targeting cloud and artificial intelligence (AI) credentials in a bid to gain access to sensitive enterprise systems. The attack, which began with a critical vulnerability in remote monitoring and management (RMM) tools, demonstrates the growing threat posed by hackers exploiting trusted administrative infrastructure.
The malware, known as Djinn Stealer, was delivered via CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp, an RMM platform used by over 6,000 organizations to manage millions of endpoint devices. Once inside, the attackers mass deployed an obfuscated JavaScript loader called TaskWeaver, which disguised itself as a benign file named jsquery.js and was hosted on temporary Cloudflare infrastructure.
The Djinn Stealer malware is designed to strip a developer’s machine of everything valuable in a single pass, including cloud credentials, SSH keys, API keys, service account credentials, and other infrastructure secrets. But what sets this attack apart is the malware’s ability to target credentials associated with AI development tools and agents, such as Claude, Gemini, Codex, Cline, OpenCode, and Kilo.
These AI-related credentials are becoming increasingly valuable to threat actors as AI becomes embedded across development, administration, and business workflows. By stealing these credentials, attackers can access and manipulate data and cloud infrastructure with the same privileges as the developer or the AI agent itself.
According to researchers at Blackpoint Cyber’s Adversary Pursuit Group (APG), who investigated the incident, the attackers used Djinn Stealer to fingerprint compromised systems, establish communications with a command-and-control (C2) server, and retrieve stolen data. The malware uses AES-256-GCM encryption to protect the stolen data, which is then exfiltrated.
The intrusion campaign highlights the growing trend of attackers focusing on trusted administrative and development infrastructure to amplify the impact of a single compromise. “As AI becomes embedded across development, administration, and business workflows, credentials associated with these platforms are becoming increasingly valuable to threat actors,” notes Nevan Beal, principal MDR analyst at Blackpoint.
**What does this mean for security teams?**
The Djinn Stealer attack serves as a reminder of the importance of securing administrative and development infrastructure. Security teams must prioritize patching vulnerabilities in RMM tools and other trusted systems, as well as implementing robust authentication and access controls to prevent attackers from exploiting these weaknesses. Furthermore, teams should be aware of the growing threat posed by AI-related credentials and take steps to protect them.
In practical terms, this means conducting regular security audits to identify potential vulnerabilities, implementing multi-factor authentication for all administrative and development accounts, and educating developers about the importance of securing their cloud and AI credentials. By taking these precautions, organizations can reduce the risk of a successful attack like Djinn Stealer.
Source: Dark Reading — 2026-06-29