TaskWeaver and Djinn Stealer delivered through abused SimpleHelp RMM tools
Malware Activity
Summary
Hide ▲
Show ▼
The abuse of SimpleHelp RMM turned a trusted support channel into a malware delivery path for TaskWeaver and Djinn Stealer, expanding attacker reach into managed networks and downstream environments. TaskWeaver is a modular Node.js loader disguised as jquery.js and executed from a temporary Cloudflare address. Djinn Stealer is a cross-platform infostealer for Windows, macOS and Linux that targets cloud keys, SSH credentials, source code, wallets and package-registry tokens.
Related Happenings
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
Vulnerability
H score46
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
How related:
New analysis from security firm Blackpoint Cyber found that an attacker exploited the flaw, tracked as CVE-2026-48558, to obtain a trusted technician session on an internet-facing SimpleHelp server.
About this happening:
**CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
VulnerabilityHow related: New analysis from security firm Blackpoint Cyber found that an attacker exploited the flaw, tracked as CVE-2026-48558, to obtain a trusted technician session on an internet-facing SimpleHelp server.
About this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp security update for CVE-2026-48558
Security Patch Release
H score65
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
How related:
SimpleHelp patched the flaw in late May, in versions 5.5.16 and 6.0 RC2.
About this happening:
**SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...
SimpleHelp security update for CVE-2026-48558
Security Patch ReleaseHow related: SimpleHelp patched the flaw in late May, in versions 5.5.16 and 6.0 RC2.
About this happening: **SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...
Timeline
-
30.06.2026 18:34 1 articles · 1h ago
CISA adds CVE-2026-48558 to KEV catalog
Legal Policy Action UpdateCISA added CVE-2026-48558 in SimpleHelp to its Known Exploited Vulnerabilities (KEV) catalog on June 29 after Blackpoint Cyber reported active exploitation of the authentication bypass.
Show sources
- Critical SimpleHelp Vulnerability Exploited For Malware Delivery — www.infosecurity-magazine.com — 30.06.2026 18:34
-
30.06.2026 18:34 2 articles · 1h ago
Blackpoint Cyber reports SimpleHelp exploitation and malware delivery
Initial DisclosureBlackpoint Cyber reported that an attacker forged a login token in SimpleHelp's OpenID Connect login, obtained a trusted technician session on an internet-facing SimpleHelp server, and used SimpleHelp's file-transfer and remote-execution features to push TaskWeaver and Djinn Stealer. The payload was disguised as jquery.js, fetched from a temporary Cloudflare address, and executed via Node.js.
Show sources
- Critical SimpleHelp Vulnerability Exploited For Malware Delivery — www.infosecurity-magazine.com — 30.06.2026 18:34
- Critical SimpleHelp Vulnerability Exploited For Malware Delivery — www.infosecurity-magazine.com — 30.06.2026 18:34