Cybersecurity
When AI Development Credentials Become the Target: Djinn Stealer and the Emerging Supply Chain Attack Surface
The Djinn Stealer malware, based on the SimpleHelp vulnerability, specifically targets credentials for cloud and AI development tools, revealing how attackers exploit operational infrastructure to expand the attack surface, posing a new threat to AI supply chain security.
When AI Development Credentials Become Targets: Djinn Stealer and the Emerging Supply Chain Attack Surface
In June 2026, Blackpoint Cyber's Adversary Pursuit Group disclosed a campaign targeting Remote Monitoring and Management (RMM) tools. Attackers exploited an authentication bypass vulnerability (CVE-2026-48558) in the SimpleHelp platform, gaining remote administrative privileges equivalent to those of an IT administrator. They then deployed an information-stealing malware named Djinn Stealer. This malware was designed with a clear objective: to strip all valuable digital identities from a developer's machine in a single sweep—cloud credentials, SSH keys, API keys, service account credentials, and a notable new category: credentials for AI development tools and agents.
From RMM to AI Supply Chain Springboard
SimpleHelp is an RMM platform used by over 6,000 organizations, managing millions of endpoint devices. The attackers first exploited the vulnerability through internet-exposed SimpleHelp servers, obtaining authenticated technician sessions—meaning they gained remote control capabilities equivalent to those of a legitimate IT administrator. This abuse of "trusted" infrastructure is not new, but when combined with the specific targets of the final payload, this attack reveals a deeper strategic evolution.
Once inside the internal network, the attackers deployed a JavaScript loader named TaskWeaver on a large scale. This loader was obfuscated, disguised as a legitimate jsquery.js file, and hosted on temporary Cloudflare infrastructure. The loader was responsible for fingerprinting the infected system, establishing communication with a C2 server, and retrieving the final Djinn Stealer payload.
Blackpoint researchers described Djinn Stealer as "built to strip everything valuable from a developer's machine in one go." Beyond traditional credential types, it specifically targeted credentials for package registries and build tool ecosystems such as npm, Yarn, NuGet, Composer, Maven, and PyPI. Attackers with these credentials could access private packages, publish malware, tamper with dependencies, and execute supply chain attacks.
AI Development Tools Become a New Attack Surface
Most notably, Djinn Stealer was designed to search for credentials related to AI development tools and agents, including local configuration files for services such as Claude, Gemini, Codex, Cline, OpenCode, and Kilo.What is most noteworthy is that Djinn Stealer is designed to search for credentials related to AI development tools and agents, including local configuration files for services such as Claude, Gemini, Codex, Cline, OpenCode, Kilo, and others. Most of these tools rely on the Model Context Protocol (MCP) to connect AI assistants to developers’ external tools and data—including source code repositories, databases, cloud accounts, and internal APIs. Once these credentials are stolen, attackers can access and manipulate data and cloud infrastructure with the permissions of the developer or even the AI agent itself.
Blackpoint's Lead MDR Analyst, Nevan Beal, noted: “As AI becomes embedded in development, management, and business workflows, credentials associated with these platforms are becoming increasingly valuable to threat actors.” The uniqueness of Djinn Stealer lies not only in how it targets AI-related data, but also in that its collection rules cover a wide range of relatively uncommon AI development tools, while also including CI/CD credentials, package registry authentication, cloud configurations, source code control access, and traditional browser and wallet data. This breadth suggests that attackers are deliberately focusing on the identities and integration points that connect modern developers and administrators to the broader enterprise.
Paradigm Shift in Attacks: The Amplification Effect
For security teams, this intrusion campaign serves as a warning: attackers are increasingly focusing on trusted management and development infrastructure to amplify the impact of a single breach point. A recent similar case is the breach at Danish pharmaceutical giant Novo Nordisk—where attackers gained initial foothold through a GitHub access token, then escalated privileges and stole 1.3 TB of sensitive data.
Sam Decker, a Threat Intelligence Engineer at Blackpoint, stated that while the attack cannot be attributed to a specific threat group, the architecture of TaskWeaver and Djinn Stealer reflects a “capable, deliberate operation focused on discovering and collecting high-value secrets.” The attackers also used a misspelled Microsoft infrastructure for camouflage: the initial C2 server masqueraded as a legitimate Microsoft Dev Tunnel, and the user agent for data exfiltration was forged to appear as normal Microsoft telemetry collection. Notably, Decker believes this appears to be opportunistic scanning—searching the internet for exposed, vulnerable SimpleHelp instances, rather than targeting specific victims.
The Need for Security Architecture Redesign
Djinn Stealer's emergence is not an isolated case. It reveals a hardening trend: attackers are no longer satisfied with stealing user passwords or credit card numbers, but have begun systematically hunting for the "privileged keys" that can unlock the door to an entire digital empire—DevOps credentials, especially those of AI systems. In modern software factories, a CI/CD token or an AI agent configuration file can be more valuable than a corporate CEO's email password, as they directly connect to code repositories, production databases, and cloud computing resources.
This incident also forces security teams to re-examine the boundaries of "trust." RMM tools, AI development assistants, package managers, and cloud CLIs are meant to improve efficiency, but their widespread adoption has also created new attack surfaces. When an attacker can gain administrator-level privileges through a single vulnerability and use that privilege to steal all credentials connecting AI, development, and operations systems, traditional perimeter-based defenses have become completely ineffective.
Security practitioners need to start treating AI development pipelines as critical infrastructure. This includes implementing fine-grained access controls for MCP configuration files, local AI agent tokens, and cloud CLI credentials, along with real-time monitoring of the usage of these privileged identities. At the same time, the security of package registries and build systems must be elevated to the same level of importance as production environments—because a compromised npm credential can lead to contamination of the entire downstream supply chain.
Conclusion
Djinn Stealer is not the last attack targeting AI development credentials; it merely heralds the beginning of a new era: when every developer possesses dozens of cloud tokens, API keys, and AI agent configuration files, protecting these digital identities will become the core battleground of cybersecurity. Attackers are shifting from "stealing data" to "stealing credentials," because credentials are both data themselves and the keys to more data. For organizations, the real challenge is not patching a single vulnerability, but redesigning the entire identity and access management architecture for development and operations to withstand such targeted attacks on the "chain of trust."
Source boundary · thedailytech
thedailytech frames this note through Tech News / AI & Innovation / Big Tech. Source links should be opened before the summary is reused: dates, names and status changes still need checking. Tech News / AI & Innovation / Big Tech explains the local editorial angle.