Vulnerabilities in remote monitoring and management (RMM) tools can give attackers a direct path into enterprise environments, often with the same trusted access that IT administrators rely on to remotely manage systems. A recent intrusion campaign shows how quickly attackers can leverage that access to deploy malware and establish a broad foothold across enterprise networks.
The attack began with the threat actor exploiting CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp, an RMM platform used by more than 6,000 organizations to manage millions of endpoint devices, eventually delivering a second-stage payload dubbed Djinn Stealer.
Researchers at Blackpoint Cyber’s Adversary Pursuit Group (APG) who investigated the incident observed the attacker exploiting the flaw on an Internet-facing SimpleHelp server and obtaining an authenticated technician session, giving them the same remote management capabilities as a legitimate IT administrator.
Once inside, the attackers mass deployed an obfuscated JavaScript loader that Blackpoint is tracking as TaskWeaver. The attackers disguised TaskWeaver as a benign file named jsquery.js and hosted it on temporary Cloudflare infrastructure. Blackpoint found the threat actor using the malware to fingerprint compromised systems, establish communications with a command-and-control (C2) server, and retrieve Djinn Stealer.
The malware, as Blackpoint noted in its blog, “is built to strip a developer’s machine of everything valuable in a single pass.” This includes cloud credentials, SSH keys, API keys, service account credentials, and other infrastructure secrets. Blackpoint observed the malware targeting credentials for package registries and build-tool ecosystems including npm, Yarn, NuGet, Composer, Maven, and PyPI. An attacker with such credentials could access private packages, publish malicious software, alter dependencies, and execute other supply chain attacks, the security vendor noted.
According to Blackpoint, Djinn Stealer is designed to collect and package stolen data on the endpoint, then encrypt it using AES-256-GCM before exfiltration, with the encryption key itself protected by RSA-2048.
Most notably, Blackpoint found Djinn Stealer equipped to search for credentials associated with AI development tools and agents, including local configuration files for services such as Claude, Gemini, Codex, Cline, OpenCode, and Kilo.
“Many of these tools rely on the Model Context Protocol (MCP) to connect an AI assistant to external tools and data on the developer’s behalf, including source repositories, databases, cloud accounts, and internal APIs,” according to Blackpoint’s report. Such credentials could allow an attacker to access and manipulate data and cloud infrastructure with the same privileges as the developer or the AI agent itself.
“As AI becomes embedded across development, administration, and business workflows, credentials associated with these platforms are becoming increasingly valuable to threat actors,” notes Nevan Beal, principal MDR analyst at Blackpoint.
Djinn Stealer, he says, stands out not simply for how it targets AI related data. It is notable also because its collection rules cover a broad and comparatively uncommon range of AI development tools alongside CI/CD credentials, package registry authentication, cloud configurations, source-control access, and traditional browser and wallet data. “This breadth suggests a deliberate focus on the identities and integrations that connect modern developers and administrators to the wider enterprise.”
An Increasing Focus on Development & Admin Systems
For security teams, the intrusion campaign is a reminder of how attackers are increasingly focusing on trusted administrative and development infrastructure to amplify the impact of a single compromise. Another recent example is a breach at Danish pharmaceutical giant Novo Nordisk, where a threat actor used an initial foothold via a single GitHub access token to escalate privileges and steal 1.3TB of sensitive data.
The broader lesson for security teams is that modern intrusions increasingly target environments that provide downstream access, Beal points out.
“The compromise of a trusted RMM platform, combined with Djinn Stealer’s focus on portable credentials, reflects an operational strategy built around amplification,” he says. By targeting administrative infrastructure, cloud access, development tooling, and software delivery systems, threat actors can turn one successful intrusion into access across customer tenants, production environments, and interconnected services, he notes.
Sam Decker, threat intelligence engineer at Blackpoint, says the company has not been able to attribute the intrusion to any specific threat actor at the moment. However, the architecture of TaskWeaver and Djinn Stealer reflect “a capable, deliberate operation focused on discovering and collecting high value secrets,” he says. The threat actor leaned on typosquatted Microsoft infrastructure to blend in, with the initial command-and-control server (C2) masquerading as legitimate Microsoft Dev Tunnels and the exfiltration user agent crafted to look like normal Microsoft telemetry collection, Decker adds.
“Based on what we saw, this appeared to be opportunistic scanning for Internet-exposed, vulnerable SimpleHelp instances rather than going after specific targets,” he says. “We didn’t see any of our other customers impacted, but it’s very possible that other exposed instances were hit by the same actor.”
Don’t miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics? Kickbacks, no-show jobs, “dirty” VCs, and shelf ware — industry expert Robert “RSnake” Hansen explains why he thinks it’s time for a CISO code of ethics. It could ensure cybersecurity bosses aren’t engaged in self-dealing that could risk enterprise, and even national, security. Listen now!
