Dark Reading ·EN Restricted
'Djinn' Stealer Targets Cloud, AI Credentials
CVE Tools coverage
A campaign targeting the remote management product SimpleHelp has been observed using the critical authentication bypass vulnerability CVE-2026-48558 as an entry point. After exploiting an Internet-facing SimpleHelp instance, attackers gained technician-level access, deployed a JavaScript loader (TaskWeaver), and delivered Djinn Stealer to collect and encrypt high-value secrets. The malware can harvest cloud and developer credentials—including keys and configuration data tied to AI tooling/agents—highlighting why RMM compromise can quickly escalate into broader access and downstream supply-chain risk.