Overview
- Attackers used the OIDC authentication bypass to create fully authenticated 'Technician' sessions and, according to BlackPoint Cyber, used that access to deliver a Node.js loader called TaskWeaver and a new infostealer named Djinn.
- The root defect is SimpleHelp’s failure to verify the cryptographic signature on OpenID Connect identity tokens, which allows an unauthenticated actor to submit a forged token and bypass initial MFA registration.
- TaskWeaver was delivered as an obfuscated file named jquery.js that fingerprints hosts and pulls encrypted payloads, and Djinn Stealer harvests a wide range of secrets including cloud credentials, SSH keys, package-registry tokens and AI-assistant tokens before encrypting and exfiltrating them.
- SimpleHelp issued fixes in late May (versions 5.5.16 and 6.0 RC2), and following BlackPoint’s Monday report CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities list and directed rapid patching and forensic triage for federal agencies.
- Organizations are urged to remove internet-facing SimpleHelp instances or update them, invalidate unknown technician sessions, rotate keys and tokens, and hunt for the published indicators of compromise because stolen credentials can preserve access long after the original host is contained.