A New Stealer Built for the AI Development Era
Information stealers are not new, but their target list tells you where the value has moved. Djinn Stealer, a previously undocumented cross-platform malware family disclosed in late June, is a case study in how attackers now think about developers. It runs on Windows, macOS, and Linux, and rather than chasing consumer passwords it goes after the credentials that let engineers touch cloud accounts, source repositories, and increasingly the AI tooling wired into their daily workflow.
What makes Djinn worth a close read is its deliberate focus. The malware harvests cloud provider credentials, Git configuration, GitHub CLI tokens, SSH keys, Docker credentials, and the authentication data for package registries including npm, Yarn, Cargo, Maven, Gradle, and pip. That is a shopping list assembled by someone who understands that a single developer laptop is a master key to an entire software supply chain, and that the fastest path into a company now runs through the people who build its systems.
The SimpleHelp Door: CVE-2026-48558
The entry point is CVE-2026-48558, a critical authentication bypass carrying a CVSS score of 10.0 in SimpleHelp, the remote monitoring and management platform. The flaw sits in the OpenID Connect authentication flow. When OIDC is enabled, the software fails to verify the cryptographic signature of identity tokens, which lets an unauthenticated remote attacker forge a token and obtain a fully authenticated technician session. It affects SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release builds.
That a remote management tool is the way in is not incidental. Roughly 1,000 vulnerable servers were exposed online at disclosure time, and each one is a trusted administrative channel into every endpoint it manages. CISA added the bug to its Known Exploited Vulnerabilities catalog and set a July 2 remediation deadline for federal agencies. A compromised RMM server does not just leak data, it lets an attacker push files and run commands across a managed fleet with the software's own blessing.
TaskWeaver and the Quiet Loader
Djinn Stealer does not arrive alone. The same intrusions delivered TaskWeaver, a JavaScript based malware loader that hides inside obfuscated files masquerading as jquery.js, one of the most unremarkable filenames on the modern web. The loader establishes the foothold and stages the stealer, and its choice of disguise is a reminder that defenders cannot rely on suspicious names to flag malicious code anymore.
Once resident, Djinn is careful about what it exfiltrates and how. The collected credentials are packed into a TAR archive, compressed with GZIP, and then encrypted with AES-256-GCM under an RSA-2048 public key before leaving the host. That level of operational hygiene signals a professional operator who expects to be studied and wants to keep the loot unreadable even if the traffic is captured. This is not opportunistic smash and grab, it is a tooled up campaign designed to persist and to resist analysis.
Why MCP Tokens Are the New Crown Jewels
The detail that should reset how security teams think about AI adoption is Djinn's interest in AI assistant configurations. The stealer specifically targets the credentials and settings for Claude, Gemini, Codex, and Cline, including the tokens tied to the Model Context Protocol. MCP is the connective tissue that lets an AI assistant reach out to external tools and data on a developer's behalf, and those tokens are what make that reach possible.
Blackpoint Cyber, the managed detection provider that documented the activity, framed the stakes precisely. As their researchers explained, many of these tools rely on the Model Context Protocol to connect an AI assistant to external tools and data on the developer's behalf, including source repositories, databases, cloud accounts, and internal APIs. Stealing them, they warned, can grant an attacker the same downstream access the developer extended to their AI agent, reaching well beyond the AI service itself. In other words, an MCP token is not a login to a chatbot, it is a delegated key to everything the assistant was allowed to touch.
The Blast Radius Beyond One Laptop
It is tempting to file infostealer incidents under nuisance rather than crisis, but the architecture of modern development turns that instinct into a liability. A developer's machine today is a hub that holds standing access to production cloud environments, private repositories, internal APIs, and now autonomous agents that act on the developer's authority. Compromise one workstation and an attacker inherits that entire web of trust at once.
The RMM angle amplifies the problem. Blackpoint's team noted that the compromised platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server. That means the initial SimpleHelp breach can seed Djinn across an entire managed estate, and every laptop it lands on becomes another launch point. For managed service providers, whose whole business is administering other companies' machines, a single unpatched server can cascade into a multi client incident.
Rotating Trust, Not Just Patching
The first move is mechanical: update SimpleHelp to the latest version immediately and invalidate any technician sessions that are not recognized. But patching the door does nothing about the keys that may already be gone. Any environment that was exposed should assume credentials were harvested and rotate them accordingly, from cloud provider keys and SSH credentials to registry tokens and, critically, the MCP and AI assistant tokens that older incident response playbooks never contemplated.
This campaign is a preview of a broader shift that CISOs need to internalize. As AI agents gain delegated access to real systems, the tokens that grant that access become high value targets in their own right, and they belong in the same tier of protection as cloud root credentials. We would push for short lived tokens, scoped permissions, and monitoring on MCP connected tooling now, before the next stealer arrives already tuned for it. Djinn is notable not because it is exotic, but because it shows attackers have already updated their target list for the agentic era.



