TaskWeaver and Djinn Stealer delivered through exploited SimpleHelp servers
Malware Activity
Summary
Hide ▲
Show ▼
A SimpleHelp exploitation chain is now delivering TaskWeaver and Djinn Stealer, creating a direct path from server-side access to credential theft on managed endpoints. The loader runs as jquery.js through node.exe and acts as an encrypted staging channel rather than a fixed command set. The second stage targets Windows, macOS, and Linux, and it is built to steal cloud, source-control, AI, SSH, browser, and wallet data. Harvested material is packed, encrypted, and exfiltrated to attacker-controlled infrastructure.
Timeline
-
30.06.2026 14:18 2 articles · 2h ago
Unknown threat actor exploits SimpleHelp CVE-2026-48558 to deploy TaskWeaver and Djinn Stealer
Initial DisclosureAn unknown threat actor is observed abusing CVE-2026-48558 in SimpleHelp to bypass OIDC authentication, obtain a Technician session on a publicly accessible RMM server, and deploy TaskWeaver and Djinn Stealer. TaskWeaver is delivered as jquery.js and executed through node.exe as a heavily obfuscated Node.js loader, while Djinn Stealer targets Windows, macOS, and Linux to harvest cloud, source-control, AI, SSH, browser, and wallet credentials before the data is packed, encrypted, and exfiltrated to attacker-controlled infrastructure. CISA adds CVE-2026-48558 to the Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to apply the fixes by July 2, 2026.
Show sources
- Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer — thehackernews.com — 30.06.2026 14:18
- Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer — thehackernews.com — 30.06.2026 14:18