Hackers are exploiting a recently disclosed security flaw in the SimpleHelp remote management platform to install a new information-stealing malware called Djinn Stealer.
The vulnerability, tracked as CVE-2026-48558, affects SimpleHelp servers using OpenID Connect (OIDC) authentication. Around 1,000 internet-facing servers were found to be vulnerable when the issue was first disclosed.
Security company Blackpoint said attackers used the flaw to gain technician-level access to a SimpleHelp server before installing the TaskWeaver malware loader, and Djinn Stealer.
TaskWeaver collects information about the infected device and downloads additional malware. It then installs Djinn Stealer, which targets Windows, macOS, and Linux systems.
Djinn Stealer is designed to steal sensitive data from developers, including cloud credentials, GitHub access, SSH keys, Docker credentials, cryptocurrency wallets, browser data, and AI development tool credentials. On Linux systems, it also searches running processes for secrets such as API keys and session tokens.
Also worth mentioning, that threat actors have started exploiting a high-risk unauthorized HTTP takeover vulnerability (CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application. According to Defused researchers who observed attacks targeting the flaw, “this vulnerability has no known previous exploitation and no public POC code exists.”