Skip to content
Security & Trust

Djinn Stealer Harvests AI Assistant Credentials. The Developer Toolchain Is Now the Target.

A new cross-platform infostealer deployed through a SimpleHelp authentication bypass explicitly targets AI development assistant tokens, cloud platform credentials, and package registry keys. The attack surface is not the code — it is the developer.

· 5 min read
Share on X LinkedIn
Djinn Stealer Harvests AI Assistant Credentials. The Developer Toolchain Is Now the Target.

The Entry Point

CVE-2026-48558 is an authentication bypass in SimpleHelp, a remote monitoring and management tool used by IT teams and managed service providers. The vulnerability allows an attacker to bypass authentication entirely, gaining access to managed endpoints without credentials. It is being actively exploited in the wild. The payload: Djinn Stealer.

SimpleHelp authentication bypass
CVE-2026-48558
Actively exploited. Source: BlackPoint Cyber / Help Net Security (July 2026)

What Djinn Stealer Collects

Djinn Stealer is a cross-platform infostealer targeting Windows, macOS, and Linux. Its collection profile reads like a developer's entire operational surface: cloud platform credentials (AWS, GCP, Azure), source control access tokens (GitHub, GitLab), package registry credentials (npm, PyPI), infrastructure tooling configs (Kubernetes, Terraform), browser session data, SSH keys, and cryptocurrency wallet information.

But the line item that distinguishes Djinn from the previous generation of infostealers is explicit: AI development assistant access. Djinn targets the authentication tokens, API keys, and session data for AI coding tools. Claude Code, Cursor, GitHub Copilot, and every other AI assistant that operates with developer-level filesystem and shell permissions — Djinn harvests the credentials that grant access to them.

Windows, macOS, Linux
Platforms targeted
Cross-platform credential harvesting
Cloud, source control, package registry, AI tools, SSH, crypto
Credential categories
Source: Defused / Cisco Talos threat intelligence

Why AI Credentials Are High-Value Targets

An AI coding assistant's credentials are not equivalent to a GitHub token. They are strictly more dangerous. A stolen GitHub token grants access to repositories. A stolen AI assistant token grants access to an agent that can read files, write files, execute shell commands, and interact with APIs — all with the developer's own permissions. The attacker does not need to write an exploit. They need to ask the assistant to do it.

This is the attack chain that Djinn enables: compromise a developer's machine through an RMM authentication bypass, harvest the AI assistant's session tokens, then use those tokens to operate the assistant remotely. The AI agent becomes the attacker's hands inside the developer's environment. Every sandbox escape, every privilege escalation path that security researchers have documented in Claude Code, Cursor, and Gemini CLI becomes available to the attacker — not as a vulnerability to exploit, but as a feature to use.

The RMM Vector

SimpleHelp is not a consumer product. It is remote monitoring and management software deployed by IT teams to manage fleets of endpoints. An authentication bypass in an RMM tool does not compromise one machine. It compromises every machine the RMM manages. A managed service provider running SimpleHelp with 500 client endpoints just gave an attacker authenticated access to 500 developer workstations, each with its own set of cloud credentials, source control tokens, and AI assistant sessions.

The RMM-to-infostealer pipeline is not new — it has been a preferred vector for ransomware groups for years. What is new is the target list. Previous infostealers harvested browser passwords and cryptocurrency wallets. Djinn harvests the credentials that control automated code generation, deployment pipelines, and infrastructure management. The attack has moved upstream from stealing data to stealing the tools that build and deploy software.

The Pattern Across 2026

Djinn Stealer is not an isolated data point. Claude Code accumulated 28 CVEs in its first year, including two CVSS 10.0 sandbox escapes. Cursor's DuneSlide pair (CVE-2026-50548 and CVE-2026-50549) demonstrated zero-click sandbox escapes via prompt injection. Gemini CLI had a CVSS 10.0. Indirect prompt injection through malicious GitHub repositories can compromise developer machines without any malicious code — the AI agent ingests the instructions and executes them.

Djinn completes the picture. The AI coding tool vulnerabilities showed that the tools themselves can be exploited. Djinn shows that attackers are now building dedicated infrastructure to harvest AI tool credentials at scale. The developer's AI assistant is no longer a productivity tool that happens to have security implications. It is a first-class target in the threat actor's collection framework, listed alongside AWS keys and SSH private keys as credentials worth stealing.

Share this insight