SharePoint ‘ToolShell’ zero-day: What we know

Welcome to this week’s edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines, curated by the team at ReversingLabs (RL).

This week: Here’s what we know so far about the SharePoint ‘ToolShell’ zero-day and its consequences. Also, malware was injected into seven npm packages after its maintainer’s tokens were stolen. 

This Week’s Lead Story

SharePoint ‘ToolShell’ zero-day: What we know

Microsoft notified customers last weekend of attacks targeting several versions of its on-premises SharePoint product following the discovery of two zero-day vulnerabilities. The flaws, CVE‑2025‑53770 and CVE-2025-53771, have been named “ToolShell” because they serve as work-arounds for two vulnerabilities given this same moniker that were discovered during a Pwn2Own contest in Berlin, Germany this past May. 

The original vulnerabilities, CVE‑2025‑49706 and CVE-2025-49704, were patched by Microsoft on July 8, but multiple sources believe that attackers are currently utilizing all four vulnerabilities to attack governmental organizations and entities in critical infrastructure. Threat actors are collectively using the vulnerabilities to create a backdoor on vulnerable SharePoint servers, and steal system keys to take over victims’ machines.

On July 21, Microsoft released updates for SharePoint Subscription Edition and SharePoint 2019 that customers can now patch, though it has been confirmed by multiple sources that the consequences of this software supply chain attack continue and are far-reaching. 

More recent findings indicate that a China-based hacking group, dubbed Storm-2603 by Microsoft, is deploying Warlock ransomware utilizing the ToolShell exploit chain. Other findings suggest that two other Chinese hacking groups, Linen Typhoon and Violet Typhoon, have been utilizing the attack chain as early as July 7. (RL Blog)

This Week’s Headlines

Malware injected into 7 npm packages after tokens stolen

Researchers have discovered a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The tokens that were captured were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. Packages targeted include multiple versions of eslint-config-prettier and is. The malicious package versions delivered a DLL known as Scavenger Loader, which is a Windows-specific malware. Interestingly, the malicious versions of is have a payload written entirely in JavaScript — so it can run on Windows, Linux, and macOS – making it stand out from the rest. (The Hacker News)

Toptal’s GitHub account hacked to publish packages

10 malicious packages have been published to npm as a result of hackers compromising a GitHub organization account belonging to Toptal, known for internal tools like the Picasso design system that are shared openly on GitHub and npm. The attackers modified the source code of Picasso on GitHub to include malware and published the malicious packages on npm as Toptal, which makes them appear as legitimate updates. The packages included data-stealing code that collected GitHub authentication tokens and then wiped victims' systems.  The packages were collectively downloaded about 5,000 times before being detected and removed from npm. (Bleeping Computer) 

Unvalidated open-source code puts UK national security at risk

More than 90% of modern container applications rely on open-source software (OSS). Within the UK, OSS is used in the National Health Service (NHS), the railways, government platforms, and financial systems. However, there’s almost no verification of where open-source code originates. This presents a major security risk because software teams must blindly trust unknown packages when adding them to essential systems. The U.K. National Cyber Security Centre (NCSC) has published guidance and frameworks aimed at mitigating OSS risks within critical national infrastructure. While welcomed, experts say more verification of these components is needed. (Tech Monitor) 

NIST releases updates to SP 800-53 to boost software security

The U.S. National Institute of Standards and Technology (NIST) has come out with draft revisions to Special Publication (SP) 800-53, which aims to enhance the secure and reliable deployment of software patches and updates. This comes as a result of mandates listed in Executive Order 14306, released on June 6. The draft’s revisions account for enhancing practices in software resiliency, developer testing, secure logging, least privilege for functions and tools, update deployment management, software integrity and validation, delineation of roles between organizations and developers, and root cause analysis and improvement. (Executive Gov) 

The Best of RL

Blog | Fully autonomous development is coming: Is your AppSec ready?

Replacing software engineers with AI won't be happening soon — but AI coding is already changing the software risk landscape. Is your company prepared? (Learn More)

Blog | The true cost of CVEs: Why you need to shift beyond vulnerabilities

Triaging and patching, plus meeting compliance demands, all bog down modern software teams — and divert time away from development. (Learn More)

Webinar | 2025 DBIR & Third Party Breach Risk: A Conversation With Verizon

Wednesday, July 30 at 12pm ET

In this webinar, RL is joined by one of the co-authors of the DBIR, Philippe Langlois, to discuss Verizon Business’s latest report and the intricacies of data breaches tied to software supply chain weaknesses. (Save Your Seat)

For more insights on software supply chain security, keep learning with the RL Blog.