Cyber Threat Brief — June 30 2026
⚠️ This report is AI-generated. Always validate findings.
1. SimpleHelp OIDC Auth Bypass → Djinn Stealer — CVE-2026-48558
TL;DR: CISA KEV addition June 29. CVSS 10 auth bypass in SimpleHelp RMM OIDC flow lets unauthenticated attackers forge technician sessions — actively exploited to deploy TaskWeaver loader and Djinn Stealer targeting developer credentials, AI coding assistant configs, and cloud keys.
What’s New:
- OIDC callback handler fails to verify IdP token cryptographic signatures — forged identity token → full technician session, bypasses MFA (attacker self-registers MFA on first login)
- Blackpoint APG observed intrusion: TaskWeaver (obfuscated JS
jquery.jsfrom temp Cloudflare domain) fingerprints host → downloads Djinn Stealer modules - Djinn Stealer harvests: MCP configs for AI assistants (Claude, Gemini, Codex, Cline), cloud creds (AWS/GCP/Azure), Git/SSH/Docker/Terraform/Vault secrets, npm/pip/Cargo registry tokens, crypto wallets, browser data, Linux
/proc/*/environfor running process secrets - ~14,000 SimpleHelp servers internet-exposed; ~7.2% running vulnerable OIDC config (Horizon3.ai)
- Federal remediation deadline: July 7 (BOD 26-04)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
jquery.js (obfuscated TaskWeaver loader) | Filename | T1059.007 | EDR / file creation logs | Hunt for jquery.js downloaded to non-web-root paths |
| Temp Cloudflare domain (TaskWeaver C2) | Infrastructure | T1102 | Proxy / DNS | Block *.trycloudflare.com egress from managed endpoints |
| Djinn Stealer TAR→GZIP→AES-256-GCM exfil | Behavior | T1560.001, T1041 | EDR / network | Alert on tar+gzip+large outbound from RMM-managed hosts |
~/.claude/mcp.json, ~/.config/github-copilot/ | File access | T1552.001 | EDR / auditd | Monitor reads of AI assistant config files by non-IDE processes |
/proc/<pid>/cmdline, /proc/<pid>/environ | File access | T1057, T1552.001 | auditd | Alert on bulk /proc/*/environ reads |
| Rogue technician accounts in SimpleHelp | Account | T1136.001 | SimpleHelp server.log | Review Administration → Technicians → Show Group Authenticated Users for unknown entries |
SimpleHelp log: Registering technician login for... | Log entry | T1078.001 | SimpleHelp server.log | Hunt for unfamiliar technician names/emails in logs |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No SimpleHelp OIDC bypass or Djinn Stealer detection; need RMM-spawned-process + AI config file access rules |
| Elastic | None | No coverage for OIDC token forgery or Djinn Stealer exfil pattern |
| Sigma | None | No coverage; need rules for bulk /proc/*/environ reads and MCP config access |
Sources: Horizon3.ai IOC Blog · BleepingComputer · Blackpoint Cyber · CISA KEV
Status Updates
- CVE-2026-50656 (RoguePlanet / Windows Defender LPE): Splunk ESCU Analytics Story: RoguePlanet now published — detects ADS
:WDFOOcreation, MsMpEng.exe suspicious child processes, and RP_* temp directory activity via Sysmon EID 15. Still UNPATCHED zero-day. Original brief. - CVE-2026-43503 (DirtyClone / Linux Kernel LPE): No new artifacts since June 27. Kernel fix available in v7.1-rc7. No ITW exploitation confirmed. Original brief.