Threat Analysis: SharePoint Under Active Attack, AiTM Phishing Surge, and npm Supply Chain Compromise
Hello, Mauven here.
This is your Daily Threat Analysis for 15th July 2026.
Three stories today. Two of them have confirmed victims. One has confirmed active exploitation. None of them should be a surprise, the underlying weaknesses have been known for years. But here we are.
SharePoint Server: Three CVEs, Active Exploitation, Patch Now
CISA added three Microsoft SharePoint Server vulnerabilities to its Known Exploited Vulnerabilities catalogue yesterday. Attackers are actively exploiting them against internet-exposed on-premises SharePoint instances. CISA’s KEV list is not a prediction, it means exploitation has been observed and confirmed.
The advisory targets on-premises SharePoint deployments. SharePoint Online, the Microsoft-hosted version, is not affected by these specific flaws. That distinction matters because a significant number of UK SMBs, particularly in professional services, legal, and financial sectors, still run on-premises SharePoint, often because it was installed years ago and no one has made the business case to migrate.
What the advisory does not say is what it never says: how long these vulnerabilities have been exploited before the advisory was published, and which sectors are being targeted. My inference, based on the profile of on-premises SharePoint users in the UK, is that professional services firms, small law practices, and accountancy firms running legacy infrastructure are the most exposed population. That is inference, not confirmed intelligence, but it is reasonable inference.
The remediation is straightforward. If you run on-premises SharePoint, apply Microsoft’s patches immediately. If you do not know whether you run on-premises SharePoint, ask your IT provider today. If your IT provider tells you this does not affect you because you are too small, ask them to confirm in writing which SharePoint version you are running and when it was last patched.
What to do:
- Confirm with your IT provider whether you run on-premises SharePoint Server
- Apply the relevant Microsoft patches without delay
- If migration to SharePoint Online is on your roadmap, this is the business case you needed
- Log the conversation with your IT provider and the date patches were applied
AiTM Phishing: Three Operators Exposed, 218 Confirmed Victims
This one is worth your attention not because of the exposure, a misconfigured Python HTTP server on a Budapest VPS left an entire phishing operation visible to the internet, but because of what the exposure revealed.
Researchers at Lexfo found the operational infrastructure of three distinct phishing operators, fully intact. One of them, identified as saroula01, had accumulated 218 confirmed victims across 12 countries using OAuth Device Code Flow attacks. A second operator, identified as codemado, has been running a full Adversary-in-the-Middle platform with custom tooling since 2018.
AiTM phishing is not the same as traditional phishing. The advisories and awareness training your staff have received almost certainly focus on credential harvesting, fake login pages that steal passwords. AiTM attacks go further. They sit between the victim and the legitimate service in real time, intercepting not just credentials but session tokens. The practical consequence is that multi-factor authentication does not stop them. The attacker captures an authenticated session after MFA has been completed.
The NCSC has published guidance on phishing-resistant MFA, specifically FIDO2 and hardware security keys, which does resist AiTM attacks. The fact that AiTM campaigns are scaling to hundreds of victims across multiple countries tells you everything about how widely phishing-resistant MFA has been adopted.
For UK SMBs, the relevant sectors here are any organisation using Microsoft 365 or Google Workspace. The OAuth Device Code Flow attack vector specifically targets cloud-authenticated environments. The attack is typically delivered by email, a message that instructs the recipient to authenticate a device by entering a code at a legitimate Microsoft or Google URL. The URL is legitimate. The code is the attacker’s.
This is a social engineering problem as much as a technical one. Your staff need to understand that a legitimate-looking Microsoft authentication page does not guarantee the request is legitimate.
What to do:
- Brief your team on OAuth Device Code Flow phishing, it looks different from traditional phishing
- Review your Microsoft 365 or Google Workspace conditional access policies
- Disable Device Code Flow authentication if your organisation does not use it (many do not)
- Where budget allows, move towards FIDO2-based MFA rather than SMS or authenticator app codes
- Check your Microsoft 365 audit logs for unexpected OAuth application authorisations
AsyncAPI npm Supply Chain: Poisoned Packages, Botnet Loader
On 14th July, an attacker exploited a misconfigured GitHub Actions workflow in the AsyncAPI generator repository. The technique is called a ‘pwn request’, a pull request that triggers a workflow with elevated permissions. The attacker opened 37 pull requests, one of which contained obfuscated JavaScript that exfiltrated a highly privileged Personal Access Token.
With that token, five malicious npm packages were published under the AsyncAPI namespace. The packages delivered a multi-stage botnet loader called Miasma, which downloads an encrypted payload from IPFS and establishes persistence. The malicious code executes when the package is imported, meaning any developer who installed or updated the affected packages during the window of compromise ran the loader without any other interaction required.
AsyncAPI is used in API documentation and event-driven architecture tooling. It is not a household name, but it sits in the dependency trees of a meaningful number of development shops and technology teams. If your organisation has a development team, or uses a software vendor that does, this is worth checking.
Wiz Research and Socket.dev both published detailed analysis of this attack. The affected packages have been removed from the npm registry. The question is how many builds ran during the compromise window.
For UK SMBs without in-house development teams, the immediate risk is indirect, through your software vendors and MSPs. The question to ask is whether your technology providers run automated dependency updates, and whether they have reviewed their npm dependency trees following this incident.
What to do:
- If you have a development team: audit your AsyncAPI-related npm dependencies immediately
- Check build logs for the period around 14th July 2026 for unexpected network activity
- Ask your software vendors whether they use AsyncAPI tooling and whether they have reviewed affected packages
- Review your GitHub Actions workflows for misconfigured permissions, this attack vector is not unique to AsyncAPI
Also Worth Noting
The NCSC published a blog today announcing that certified Cyber Advisors are offering free 30-minute consultations to help small businesses get started with cyber security. I will be honest: I have mixed feelings about initiatives that position 30 minutes as meaningful engagement with an organisation’s security posture. But it is free, it is a starting point, and for businesses that genuinely do not know where to begin, it is better than nothing. The link is in the sources below.
Separately, Microsoft has halted Patch Tuesday updates for some Dell devices following reports of unexpected shutdowns and overheating after installation. Affected models have not been publicly specified. If you have Dell hardware in your estate and your systems flagged an update issue this week, that is likely the cause. Do not manually force the update until Microsoft confirms the issue is resolved.
Sources
If Threat Analysis is useful to you, follow the show wherever you listen so tomorrow’s briefing lands automatically. And if you know someone who should be across this, a colleague, a peer, a business owner who still thinks they are too small to be a target, send it to them. The best thing this briefing can do is reach the people who need it before the incident does.