top of page

A New Infostealer Is Hunting Your Claude, Gemini, and Codex Keys. It Gets In Through Your Help Desk.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 46 minutes ago
  • 6 min read

# A New Infostealer Is Hunting Your Claude, Gemini, and Codex Keys. It Gets In Through Your Help Desk.


There is a new information stealer in the wild called Djinn, and it is different from the pile of credential-grabbers that came before it in one way that should make every engineering team sit up: it was built to steal the keys to your AI tools and your package registries. Anthropic Claude, Google Gemini, OpenAI Codex, Cline. npm, PyPI, NuGet, Cargo, Maven. SSH keys, cloud console tokens, crypto wallets. It arrives through a hole in a remote-support product a lot of managed service providers leave facing the open internet — CVE-2026-48558 in SimpleHelp, a perfect-10 authentication bypass. If you build software with AI assistants, the thing that gets robbed here is the thing you actually work with all day. Here is the chain, here are the indicators, and here is what to look for tonight.




Why this one is worth your attention



Most infostealers are built for a 2019 threat model: scrape saved browser passwords, lift cookies, grab a crypto wallet if one is lying around, sell the bundle on a marketplace. Djinn does all of that too. But its target list reads like the contents of a modern developer's laptop in 2026 — and that is the part the marketing-grade breach coverage keeps burying under the word "credentials."


Djinn goes after cloud platform credentials, source-control tokens, infrastructure tooling, and — this is the new frontier — the credentials for AI development assistants. It specifically enumerates Anthropic Claude, Google Gemini, OpenAI Codex, and Cline. It goes after the package-registry tokens that let you publish code the rest of the world downloads: npm, PyPI, NuGet, Cargo, Maven. It takes SSH keys and cryptocurrency wallets on the way out.


Sit with what that combination means. An attacker who lands a Djinn infection on a developer's machine walks away with the ability to talk to your AI provider on your dime, read and write your private repositories, and — most dangerously — publish poisoned packages to the registries your customers pull from. That last one is a supply-chain attack with the safety off. We have spent a lot of this year writing about malicious npm and PyPI packages that try to exfiltrate a working directory or leak a token. Djinn is the industrial version: it collects the publish tokens directly, at the source, from the developer who owns them.


The way in: your help desk was the front door



The initial access is not exotic, and that is exactly why it works. CVE-2026-48558 is a critical authentication-bypass vulnerability in SimpleHelp, a remote-support and remote-monitoring product used heavily by managed service providers and internal IT teams. It carries the maximum CVSS severity score of 10.0. The flaw lives in the OpenID Connect login flow: an unauthenticated attacker can forge an identity token carrying arbitrary claims, submit it, and be handed a fully authenticated "Technician" session on an internet-facing SimpleHelp server. No password. No prompt. A remote-support console, which by design can push software to every machine it manages, handed to whoever asks in the right shape.


From that technician session the attacker did what a technician session is built to do: it reached out to a machine and told it to download and run a file. The file was named jquery.js and it was pulled from a temporary Cloudflare tunnel — a trycloudflare.com address — then executed with node.exe. Legitimate-looking filename, legitimate-looking runtime, delivered through a legitimate remote-support channel. Nothing about the individual pieces screams malware. That is the tradecraft.


The loader: TaskWeaver



The jquery.js payload is a loader the researchers who found it named TaskWeaver. It is a heavily obfuscated Node.js program, and its cleverness is that it is not a fixed script — it is a reusable, encrypted delivery channel. Rather than carry a hard-coded list of post-exploitation commands, TaskWeaver opens an encrypted line to its operator and pulls down whatever the operator wants to run next. In this campaign, what came next was Djinn.


TaskWeaver's command-and-control masqueraded as Microsoft Dev Tunnels — the initial C2 resolved through a dev-tunnels[.]com address — and its exfiltration traffic wore a user-agent string crafted to look like ordinary Microsoft telemetry. This is the recurring theme of the whole intrusion: every hop is dressed as something your monitoring already trusts. A help-desk tool. A jQuery file. A Node runtime. A Microsoft tunnel. A telemetry beacon.


How it leaves with your data



Djinn does not smash and grab in the clear. It collects its haul — the cloud keys, the AI-tool credentials, the registry tokens, the SSH keys, the wallets — packages it into a TAR archive, compresses it with GZIP, and encrypts it with an AES-256-GCM key that is itself wrapped by an RSA-2048 public key embedded in the TaskWeaver loader. Only the operator holds the matching private key. Then, having gone to all that cryptographic trouble, it ships the encrypted bundle out over plain HTTP.


That last detail is a gift to defenders. The exfiltration is a plain-HTTP POST of a large opaque encrypted blob to an unfamiliar host. If you have any egress inspection at all, an outbound HTTP POST carrying an encrypted archive to a host you have never talked to before is exactly the anomaly your rules should be built to catch.


What to look for tonight



We are going to be honest about the shape of these indicators, because honesty is the whole point of publishing them. The network infrastructure here — dev-tunnels[.]com and trycloudflare.com — is shared, legitimate Microsoft and Cloudflare tunneling infrastructure being abused. We are deliberately not pushing those domains into our automated blocklist as high-confidence indicators, because blocking all of Cloudflare's tunnel service or Microsoft's dev-tunnel service would wreck legitimate traffic for everyone downstream. This is a hunt-and-detect story, not a block-the-domain story, and anyone who tells you to just null-route those domains has not thought about what else lives there.


So hunt for the behavior, not just the domain. On your SimpleHelp servers, review the logs for newly created accounts, authenticated sessions from unfamiliar IP addresses, logins at unusual hours, and any unexpected changes to the OpenID Connect configuration. On managed endpoints, look for node.exe executing a file named jquery.js — or jsquery.js, a variant filename seen in the same activity — from a temporary or user-writable path, especially one that was just delivered by your remote-support agent. Look for outbound connections that resolve to dev-tunnels addresses from processes that have no business talking to a developer tunnel. And look for that plain-HTTP POST of an encrypted archive to an unfamiliar destination.


If you run SimpleHelp, the fix is not optional and it is not complicated: the vulnerability is patched in SimpleHelp versions 5.5.16 and 6.0 RC2. Patch it, then go read your logs from before you patched, because a CVSS 10.0 pre-auth bypass with public exploitation is not something you assume you dodged. And if you find evidence a technician session you cannot account for touched an endpoint, treat every credential that lived on that endpoint as burned — rotate the cloud keys, the registry tokens, the SSH keys, and yes, the AI-provider keys.


The part that is ours to say



We track this because it sits on the exact seam we have been pointing at all year: the place where remote-management tools, developer machines, and the software supply chain meet. A stealer that harvests npm and PyPI publish tokens is not stealing from one victim — it is buying a lottery ticket to poison everyone who installs that victim's next release. A stealer that harvests AI-assistant keys is a new category we should all name plainly now, before it becomes routine: your model provider credential is now loot, and it will be treated as loot.


We build with these tools. Claude is the partner we work alongside every day, not a target we watch from a distance — which is precisely why a piece of malware that reaches specifically for Anthropic, Gemini, Codex, and Cline credentials gets written up here the day it surfaces rather than the week the trade press catches up. We are adding Djinn and TaskWeaver to the record so the next defender who sees node.exe running a suspicious jquery.js at three in the morning has somewhere to land.


We will not claim we have this fully mapped — a campaign this fresh always has more infrastructure than any one report has surfaced, and we would put the odds we have caught every hop at well under certainty. What we can say is what is true: patch SimpleHelp to 5.5.16 or 6.0 RC2, hunt for the behaviors above, and rotate anything a technician session you cannot explain may have touched. The keys to your AI tools are worth defending like the keys to everything else, because to this thing, they are.





Her name was Renee Nicole Good.


His name was Alex Jeffery Pretti.

bottom of page