TTP Advisory: Multiple Threats | Helix Vishing: New SharePoint data theft via voice phishing | Ill Bloom: Crypto wallet recovery phrase weakness — $5M+ stolen | Injective SDK: npm package infected with crypto wallet stealer
Helix Vishing Group — Voice Phishing Targeting SharePoint Data Theft
A new threat actor tracked as ‘Helix’ is using voice-based phishing (vishing) to target Microsoft 365 users and steal SharePoint data. The attackers call targeted users, pose as IT support, and persuade them to disclose credentials or approve multi-factor authentication requests. Once they gain access, they target SharePoint document libraries for data theft. This is a growing attack vector: voice phishing bypasses email security controls and exploits human trust in phone-based support interactions.
Recommended action: Educate users about vishing attacks. Remind them that IT support will never ask for passwords or MFA codes over the phone. Implement number verification for help desk calls.
Ill Bloom — Crypto Wallet Vulnerability Drains $5M+ From 431 Wallets
Coinspect disclosed a crypto wallet flaw called ‘Ill Bloom’ that attackers are already using. The flaw is in how some wallet software generates its recovery phrase — when that phrase is made with weak randomness, an attacker can work it out and take everything it controls. A coordinated sweep on May 27 drained approximately $3.1 million from 431 wallets. A further $2.1 million in USDT was stolen from an exposed wallet afterward, pushing confirmed losses past $5 million. Wallets created on hardware devices are not affected. The real risk sits with older or lesser-known wallets, both mobile apps and browser extensions, some dating back to 2018.
Recommended action: Users of crypto wallets — especially older or lesser-known software wallets — should migrate to hardware wallets or well-known software wallets with verified randomness. Check if your wallet software has been affected by this vulnerability.
Injective SDK on npm — Cryptocurrency Wallet Stealer Disguised as Legitimate SDK
A malicious npm package disguised as the Injective SDK (a cryptocurrency development kit) has been found in the npm registry. The package infects systems with a cryptocurrency wallet stealer that targets browser extensions and software wallets. This is a supply chain attack targeting developers who work with the Injective blockchain ecosystem.
Recommended action: Developers should verify the npm package name and publisher before installing. Check npm audit for any suspicious packages. Only use the official Injective SDK from the verified publisher.
References
- BleepingComputer: Helix vishing group
- The Hacker News: Ill Bloom crypto vulnerability
- BleepingComputer: Injective SDK npm infection
Part of the Vulnerability Intelligence series on threat-modeling.com. July 10, 2026 Report.
