{
  "name": "A Djinn in the Machine: TaskWeaver's Node.js Intrusion Chain",
  "slug": "a-djinn-in-the-machine-taskweavers-nodejs-intrusion-chain",
  "description": "An intrusion was investigated that began with exploitation of CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp RMM software. The threat actor obtained unauthorized technician access and deployed two previously undocumented malware samples: TaskWeaver and Djinn Stealer. TaskWeaver is a heavily obfuscated Node.js loader that establishes encrypted communications and delivers additional payloads. Djinn Stealer targets credentials across Windows, macOS, and Linux systems, collecting authentication data for cloud platforms, source control, package registries, AI development assistants, browsers, SSH keys, and cryptocurrency wallets. The attacker leveraged legitimate RMM capabilities to transfer files and execute commands across managed systems. Stolen AI assistant tokens provided extensive access to repositories, databases, and cloud accounts. The intrusion demonstrated how a single authentication bypass in trusted management infrastructure can enable widespread credential theft and p...",
  "published": "2026-06-30T02:01:09.005000+00:00",
  "created_at": "2026-06-30T13:57:56.839000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-30T13:57:56.839000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "ai development tools",
    "credential theft",
    "cve-2026-48558",
    "djinn stealer",
    "node.js",
    "rmm exploitation",
    "simplehelp",
    "supply chain risk",
    "taskweaver"
  ],
  "tags": [],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "3776df6c-2174-4461-994d-657241307356",
        "name": "CVE-2026-48558"
      }
    ],
    "indicators": [
      {
        "id": "f353347e-d015-4a34-954a-84f4acd4d425",
        "name": "f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc"
      },
      {
        "id": "6d329495-e851-404a-b312-bfdb996d3073",
        "name": "a.dev-tunnels.com"
      },
      {
        "id": "a6999b5e-65c5-4e74-9958-c75aa73586ba",
        "name": "96.126.130.126"
      },
      {
        "id": "50bdf0c8-d6a5-4ec6-b0bf-9179e68d1911",
        "name": "00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "97cda0df-73f8-46ac-9b12-ba9b7f4032ab",
        "name": "T1552.007"
      },
      {
        "id": "9f21708c-24b6-46b5-bf7e-522256e8470c",
        "name": "T1552.004"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b",
        "name": "T1560.001"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "malware": [
      {
        "id": "72ba75fa-3e46-43e3-a999-49c8ca30fd0c",
        "name": "TaskWeaver"
      },
      {
        "id": "9092a9d1-0573-4595-a55c-cc0b5d63d32b",
        "name": "Djinn Stealer"
      }
    ],
    "observables": [
      {
        "id": "4c7a04cd-e36d-4d84-91c7-b5e135d9aec6",
        "name": "a.dev-tunnels.com"
      },
      {
        "id": "85eb8e37-4584-47fe-aa6f-26e61e3778f7",
        "name": "96.126.130.126"
      }
    ]
  },
  "external_refs": [
    {
      "id": "12882914-5e0f-46a8-afd9-c953543a030f",
      "standard_id": "external-reference--42a4fe3c-b836-5f49-8890-653ddc59f65a",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a432365e2207bde8681b975",
      "hash": null,
      "external_id": "6a432365e2207bde8681b975",
      "created": "2026-06-30T13:57:54.369Z",
      "modified": "2026-06-30T13:57:54.369Z",
      "createdById": null
    },
    {
      "id": "2d951497-94ad-4c81-a66f-1f22ca758bcf",
      "standard_id": "external-reference--54b9f5bb-388b-5799-978a-a33279cf8865",
      "entity_type": "External-Reference",
      "source_name": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "description": null,
      "url": "https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/",
      "hash": null,
      "external_id": null,
      "created": "2026-06-29T20:59:15.794Z",
      "modified": "2026-06-30T13:57:54.402Z",
      "createdById": null
    }
  ]
}