Lead Analysis
Security & Risk6 min

SimpleHelp Flaw 10.0 Opens Door for Stealer that Extracts Tokens from Claude, Gemini, and Codex

Estação de trabalho iluminada em SOC vazio à noite, com uma etiqueta vermelha de alerta afixada ao monitor citando a CVE-2026-48558 e um arquivo mcp.json aberto em um editor de código.

CVE-2026-48558 allows for forged technician sessions and MFA bypass; the final payload, Djinn Stealer, targets MCP files with credentials from the code assistants Claude, Gemini, Codex, Cline, and Kilo.

A critical authentication bypass vulnerability in the remote access software SimpleHelp has been actively exploited since last week and has served as an entry point for two new artifacts: a Node.js-based loader named TaskWeaver and a cross-platform infostealer called Djinn Stealer. The investigation was published on Monday, June 30, by the Adversary Pursuit Group (APG), Blackpoint Cyber's response unit, and replicated by The Hacker News, Help Net Security, and other outlets throughout the day.


The vulnerability has been assigned ID CVE-2026-48558, with a CVSS score of 10.0. It exists in the OpenID Connect (OIDC) flow of SimpleHelp: the server fails to verify the cryptographic signature of the identity token and thus accepts a forged token with arbitrary claims. An unauthenticated attacker can open a fully valid "Technician" session. If the technician has not yet set up the second factor, they can register it themselves, which negates the MFA protection that many teams believed they had. SimpleHelp patched the vulnerability at the end of May in versions 5.5.16 and 6.0 RC2; all previous versions remain exposed.


How the Intrusion Chain was Assembled


According to the report from Blackpoint, the operator exploited SimpleHelp at the victim's network edge, obtained a privileged session, and used the product's own file transfer and remote execution capabilities to distribute the payload en masse. The delivered file masquerades as jquery.js, hosted on an ephemeral endpoint in Cloudflare. It is not jQuery. It is TaskWeaver, a modular Node.js loader that first identifies the system, establishes an encrypted channel with the command server, and then requests additional JavaScript payloads, executed with elevated privileges.


The loading appears deliberately designed to evade static analysis by corporate EDRs that overly trust the Cloudflare domain and ignore binaries signed as "web libraries." The second stage is Djinn Stealer, which runs on Windows, macOS, and Linux.


The Asset the Attacker Wants is the AI Agent Token


It is at this point that the incident deviates from the routine. Djinn Stealer scans configuration files and authentication sessions for traditional providers (AWS, Azure, Google Cloud, Oracle Cloud, Okta, Cloudflare) and also for AI coding assistants: Claude, Gemini, Codex, Cline, OpenCode, and Kilo. The specific target is the files that store the Model Context Protocol (MCP) configuration, such as ~/.claude/mcp.json.


These files hold the tokens that the developer provides to their agent for accessing repositories, databases, cloud accounts, and internal APIs. According to Blackpoint's text, "stealing them grants the attacker the same downstream access that the developer extended to their AI agent, going well beyond the AI service itself." In layman's terms for the SOC operator: the same pair of keys that allows the agent to open a pull request also allows the intruder to do so.


Before exfiltration, Djinn packages everything in TAR, compresses with GZIP, and encrypts with AES-256-GCM, with the key protected by a built-in RSA-2048 in TaskWeaver itself. Without access to the binary, the defender cannot decrypt what has leaked.


The CISA Clock and the Impact on Global Teams


CISA has included CVE-2026-48558 in the Known Exploited Vulnerabilities Catalog and mandated federal civilian executive branch (FCEB) agencies to apply the patch by July 2. This deadline serves as a signal to the private market: insurers and risk teams often use the KEV as a trigger to demand remediation in contractual commitments. Managed service providers (MSPs) running SimpleHelp to serve clients in different regions bear special risk. A single exposed MSP server in Dublin, Manila, or Bangalore could become a lateral route to dozens of client accounts, including the Brazil operations of American and European multinationals that outsource L2 support.


For security teams that have already adopted coding assistants with MCP in production, the alert is twofold. First, treat MCP tokens as infrastructure credentials, with frequent rotation and dedicated vaulting, rather than as application configuration files. Second, review what scopes have been granted to the agent. A Claude configured with MCP for GitHub, S3, and Postgres effectively holds three high-privilege credentials stored in the same JSON, a promise too tempting for the operator who already knows where to look. The window in which the security market discussed "how the agent acts" has just narrowed; now the debate is how to prevent it from being exploited before it acts.

Lead Analysis