This Week in Cyber 25th July 2025

Analyst Insight

This week in cyber, we have seen a critical vulnerability dubbed “ToolShell” affecting over 8000 open SharePoint instances worldwide. Vulnerable instances allowed threat actors to remotely execute code, which can be used to harvest credentials or deploy ransomware. No immediate patch was provided, but advice was given to remediate the vulnerability. This incident proves the need for active vigilance against emerging threats. We have also seen the UK government proposing a ban on public-sector organisations paying ransomware operators, in aims to stop the funding of cybercrime. As well as a major phishing attack targeting NPM package maintainers, allowing threat actors to publish malicious code on popular packages. Household cleaning brand Clorox is also suing a large IT service provider for gross negligence. Read more in this week in cyber.

Critical SharePoint “ToolShell” Zero‑Day in Active RCE Attacks

A newly discovered zero‑day in on‑premises Microsoft SharePoint dubbed “ToolShell” (CVE‑2025‑53770/CVE‑2025‑53771) has been exploited in live remote code execution (RCE) attacks since July 18th, 2025. "Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update" stated Microsoft. Threat actors used a crafted POST to ToolPane.aspx, bypassed authentication via spoofed headers, and dropped a stealthy spinstall0.aspx payload to harvest cryptographic machine keys for persistent access.

Microsoft has patched Subscription Edition and Server 2019, but 2016 remains vulnerable. Until full coverage, admins are urged to enable AMSI with Defender AV, rotate machine keys, scan for Indicators of Compromise (like spinstall0.aspx), and isolate any internet‑exposed servers.

Large Household Brand Sues IT Services Company for Gross Negligence

Household brand, Clorox, is suing IT services giant Cognizant for gross negligence after its services allegedly caused a major cyberattack in August 2023, which was caused by the helpdesk resetting an employee’s password without identity verification. Clorox alleges that one of the group’s hackers was able to repeatedly steal employees’ passwords simply by calling the IT desk with its service provider. Clorox confirmed that the hack caused $380 million in damages due to delays in logistics. In a report, Cognizant defended themselves stating “It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.”

UK Public Sector Ransomware Payment Ban

The UK government is set to outlaw ransom payments by public-sector and critical infrastructure organisations, including the NHS, schools and local councils, under new Home Office proposals. The initiative also introduces a payment prevention regime: private companies must inform authorities before paying any ransom so officials can intervene or legally block transfers.

"Ransomware is estimated to cost the UK economy millions of pounds each year, with recent high-profile ransomware attacks highlighting the severe operational, financial, and even life-threatening risks. The ban would target the business model that fuels cyber criminals' activities and makes the vital services the public rely on a less attractive target for ransomware groups" said the UK Government.

Supporters believe this will cut off criminals’ revenue streams and reduce the incentive for attacks. Critics, however, warn that without strong backups and rapid recovery plans, essential services could face prolonged disruption.

NPM Supply Chain Attack Leads to Malware in Popular Packages

 Cybersecurity researchers have brought attention to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their GitHub repositories. This led to a suspicious activity report in GitHub where maintainers quickly discovered the new versions contained malicious code, including a Windows-specific payload attempting to load node-gyp.dll via rundll32.

 The list of affected packages and their rogue versions, according to Socket.dev, are shown below:

• eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)

• eslint-plugin-prettier (versions 4.2.2 and 4.2.3)

• synckit (version 0.11.9)

• @pkgr/core (version 0.2.8)

• napi-postinstall (version 0.3.1)

"The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution" Socket.dev said. This development comes in the aftermath of a phishing campaign that has been found to send email messages impersonating npm in order to trick project maintainers into clicking on a typosquatted link ("npnjs[.]com," as opposed to "npmjs[.]com") that harvested their credentials.

The phishing attempts, with the subject line "Please verify your email address," spoofed a legitimate email address associated with npm ("support@npmjs[.]org"), urging recipients to validate their email address by clicking on the embedded link. The faked landing page to which the victims are redirected to, per Socket, is a clone of the legitimate npm login page that's designed to capture their login information.

Developers who use the affected packages are advised to cross-check the versions installed and rollback to a safe version. Project maintainers are recommended to turn on two-factor authentication to secure their accounts, and use scoped tokens instead of passwords for publishing packages.