216.73.217.80

A Djinn in the Machine: TaskWeaver's Node.js Intrusion Chain

· Published 30/06/2026 04:01

Export JSON

Essential information

Published
30/06/2026 04:01
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
ai development tools credential theft cve-2026-48558 djinn stealer node.js rmm exploitation simplehelp supply chain risk taskweaver
Related entities
1 vulnerabilities (cve), 4 indicators, 2 observables, 19 techniques (mitre), 2 malware

Description

An intrusion was investigated that began with exploitation of , a critical authentication bypass vulnerability in RMM software. The threat actor obtained unauthorized technician access and deployed two previously undocumented malware samples: TaskWeaver and Djinn Stealer. TaskWeaver is a heavily obfuscated loader that establishes encrypted communications and delivers additional payloads. Djinn Stealer targets credentials across Windows, macOS, and Linux systems, collecting authentication data for cloud platforms, source control, package registries, AI development assistants, browsers, SSH keys, and cryptocurrency wallets. The attacker leveraged legitimate RMM capabilities to transfer files and execute commands across managed systems. Stolen AI assistant tokens provided extensive access to repositories, databases, and cloud accounts. The intrusion demonstrated how a single authentication bypass in trusted management infrastructure can enable widespread and p...

External references