logo

Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer

ID: 25b98c42-8da6-57e6-9cf7-62b8b886a4f8

STIX ID: report--25b98c42-8da6-57e6-9cf7-62b8b886a4f8

Feed Name: The Hacker News

Threat Score
90/100

Date Published: 2026-06-30

Date Updated: 2026-07-01

Author: [email protected] (The Hacker News)

...
...

**Overview:** An unknown actor is actively exploiting CVE-2026-48558 (CVSS 10.0) in SimpleHelp to create authenticated "Technician" sessions and deploy TaskWeaver, a modular Node.js loader, which then delivers Djinn Stealer—an information stealer targeting Windows, macOS, and Linux that harvests credentials and configuration from cloud platforms, development tools, AI assistants, browsers, SSH keys, package registries, and cryptocurrency wallets, packages the data into an AES-256-GCM/RSA-2048-protected archive, and exfiltrates it to attacker-controlled infrastructure; due to active exploitation, CISA added the vulnerability to the KEV catalog.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.