A newly discovered cyberattack campaign is exploiting a critical security flaw in SimpleHelp remote monitoring and management (RMM) software to install two previously unknown malware families named TaskWeaver and Djinn Stealer. The vulnerability, tracked as CVE-2026-48558, has received the highest possible CVSS score of 10.0 because it allows attackers to gain unauthorized access without valid login credentials. Security researchers confirmed that the flaw is already being actively exploited in real-world attacks.

simplehelp-rmm-vulnerability-cve-2026-48558-security-flaw

The vulnerability affects the OpenID Connect (OIDC) authentication process used by certain SimpleHelp deployments. Researchers found that attackers can create a forged identity token containing fake user information, allowing them to log in as a fully authenticated technician. This gives cybercriminals the same level of access as legitimate IT administrators, enabling them to remotely manage systems connected to the compromised SimpleHelp server.

The attack chain was investigated by Blackpoint Cyber after detecting suspicious activity on an internet-facing SimpleHelp server. Once the attackers successfully obtained a technician session, they abused the trusted remote management platform to transfer files and execute malicious code on managed endpoints. Because the activity originated from legitimate administrative software, it appeared similar to normal support operations, making the intrusion much harder to detect.

simplehelp-oidc-authentication-bypass-cve-2026-48558

The first malware deployed during the attack is called TaskWeaver, a heavily obfuscated Node.js loader designed to prepare infected systems for additional malware. It was delivered as a file named “jquery.js” and executed using node.exe, making it appear similar to a legitimate JavaScript library. Instead of performing immediate malicious actions, TaskWeaver establishes encrypted communication with attacker-controlled servers and creates a reusable channel for delivering future payloads.

After collecting basic information about the compromised device, TaskWeaver downloads the second-stage malware known as Djinn Stealer. This information-stealing malware is capable of running on Windows, macOS, and Linux systems. Researchers discovered that it is specifically designed to search for valuable credentials and authentication data stored on developer workstations and enterprise systems, significantly increasing the impact of a successful compromise.

nodejs-taskweaver-malware-loader-simplehelp-cve-2026-48558

Djinn Stealer targets a wide range of sensitive information, including credentials for cloud platforms, source code repositories, package registries, infrastructure management tools, AI development assistants, web browsers, SSH keys, and cryptocurrency wallets. Security experts warned that stolen AI development tokens could allow attackers to access repositories, databases, cloud environments, and other resources trusted by AI coding assistants, expanding the breach well beyond the initially infected device.

Researchers believe this campaign demonstrates how attackers are increasingly abusing trusted remote management software instead of relying on traditional phishing emails or standalone exploits. By using legitimate RMM capabilities to distribute malware, the attackers were able to move through managed environments while blending in with normal administrative activity. This technique makes detection more difficult and increases the risk for organizations using exposed management servers.

simplehelp-security-update-critical-vulnerability-patch

Security experts strongly recommend that organizations immediately install the latest SimpleHelp security updates, especially if OIDC authentication is enabled. Any internet-facing SimpleHelp servers should be reviewed for signs of unauthorized technician sessions, and organizations should assume that credentials accessible from compromised systems may have been exposed. The active exploitation of CVE-2026-48558 highlights the importance of promptly patching critical vulnerabilities and continuously monitoring remote management infrastructure for suspicious behavior.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news