Djinn Stealer — SimpleHelp CVE-2026-48558 Exploit Targets MCP Configs and AI Dev Credentials
AI relevance: Djinn Stealer specifically harvests MCP configuration files for AI coding assistants (Claude, Gemini, Codex, Cline, OpenCode, Kilo), giving attackers downstream access to every tool and API the developer's AI agent can reach.
What Happened
- Blackpoint Cyber identified active exploitation of CVE-2026-48558 (critical authentication bypass in SimpleHelp RMM platform) to deploy a new malware pair: TaskWeaver loader and Djinn Stealer.
- SimpleHelp is used by MSPs, IT departments, and system administrators for remote monitoring and management. Around 1,000 exposed servers were running vulnerable configurations at disclosure.
- The flaw allows unauthenticated attackers to create highly privileged technician accounts on servers using OpenID Connect (OIDC) authentication.
- TaskWeaver arrives as an obfuscated JavaScript file named
jquery.jsfrom a temporary Cloudflare domain, fingerprints the device, and downloads additional modules from C2. - Djinn Stealer then collects in a single pass: cloud credentials, Git/GitHub CLI/SSH keys, Docker/Helm/Terraform/Pulumi configs, MCP configuration for AI coding assistants, package registry auth (npm, Yarn, pnpm, Cargo, Maven, pip, NuGet), cryptocurrency wallets, and browser data.
- On Linux, the stealer reads
/proc/<pid>/cmdlineand/proc/<pid>/environfrom running processes to extract API keys and session tokens from memory. - Stolen data is packed into a TAR archive, GZIP-compressed, and encrypted with AES-256-GCM before exfiltration.
Why It Matters
This is the first documented malware family that explicitly targets MCP configuration files alongside traditional developer credentials. Stealing ~/.claude/mcp.json or equivalent configs gives an attacker the same downstream access the developer extended to their AI agent — reaching well beyond the AI service itself into every integrated tool, database, and API. The RMM-to-developer-machine pivot makes this a supply-chain attack vector for organizations with managed IT.
What To Do
- Immediate: Patch SimpleHelp servers to the latest version to address CVE-2026-48558. Check for unauthorized technician accounts on OIDC-enabled instances.
- Developer teams: Audit MCP config files for exposed tokens. Rotate credentials for any AI coding assistant configs if your organization uses SimpleHelp or similar RMM tools.
- Security teams: Monitor for unusual AI API usage patterns that could indicate stolen MCP configs are being used by unauthorized parties.
- Hardening: Restrict RMM platform access to authenticated networks only. Require MFA for technician account creation.