A critical authentication bypass vulnerability (CVE-2026-48558) in SimpleHelp remote monitoring software has been exploited for malware delivery, allowing attackers to execute commands and transfer files on managed systems. The flaw stems from the failure to verify the cryptographic signature of identity tokens during the OpenID Connect authentication process, making it possible for unauthenticated users to access authenticated sessions.
This vulnerability has been linked to the deployment of two malware families: TaskWeaver, a Node.js loader for executing payloads, and Djinn Stealer, which targets secrets from developer environments. SimpleHelp has released updates to address the issue, and organizations are advised to apply these patches and audit their systems for potential compromises.