LIVE · cybersecurity feed
vulnerabilitycriticalCVE-2026-48558

'Djinn' Stealer Targets Cloud, AI Credentials

zeroday.news·8d ago

A newly identified information-stealing malware, dubbed "Djinn," is actively targeting credentials that bridge cloud environments, artificial intelligence platforms, and broader enterprise systems. The malware's initial distribution vector exploits a critical authentication bypass vulnerability, identified as CVE-2026-48558, present in the remote support software SimpleHelp.

This specific vulnerability allows Djinn to bypass authentication mechanisms within SimpleHelp, granting it unauthorized access. Once inside, the malware focuses on harvesting credentials that are crucial for linking development and administrative environments to the larger corporate network infrastructure. The compromise of these credentials could grant attackers significant access and control over sensitive cloud-based resources and AI models.

The implications of such a compromise are far-reaching. Stolen credentials for cloud services can lead to unauthorized data access, data exfiltration, service disruption, and the deployment of malicious resources within an organization's cloud footprint. Similarly, credentials for AI platforms could enable attackers to manipulate AI models, steal proprietary algorithms, or use the AI infrastructure for malicious purposes.

The targeting of systems that connect development and administrative functions is particularly concerning. This suggests a sophisticated attack strategy aimed at gaining a foothold within the core operational and development pipelines of an organization. By compromising these links, attackers could potentially move laterally across the network, escalate privileges, and gain deeper access to sensitive data and systems.

While specific details regarding the operational scope or the exact nature of the credentials being targeted are limited, the focus on cloud and AI environments indicates a modern threat landscape. Attackers are increasingly looking to exploit vulnerabilities in these rapidly expanding areas of enterprise IT.

The use of a critical authentication bypass vulnerability in a widely used remote support tool like SimpleHelp highlights a common attack vector. Such tools, while essential for IT management, can become attractive targets if not properly secured and patched.

Organizations utilizing SimpleHelp are strongly advised to ensure their software is updated to the latest version to remediate CVE-2026-48558. Regular security audits and the implementation of robust credential management practices, including multi-factor authentication and the principle of least privilege, are also critical defense measures against this type of threat. Monitoring network traffic for unusual authentication attempts and unauthorized access to cloud and AI platforms can further aid in early detection.

vulnerabilityaicloud
← Back to latest

More News

view all →
zeroday.news · 4h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 4h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.

zeroday.news · 3h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 3h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.