Helix Vishing Group Targets SharePoint Data Theft; Ill Bloom Crypto Wallet Vulnerability Drains $5M; Injective SDK on npm Infected

Helix Vishing Group Targets SharePoint Data Theft; Ill Bloom Crypto Wallet Vulnerability Drains $5M; Injective SDK on npm Infected

TTP Advisory: Multiple Threats | Helix Vishing: New SharePoint data theft via voice phishing | Ill Bloom: Crypto wallet recovery phrase weakness — $5M+ stolen | Injective SDK: npm package infected with crypto wallet stealer


Helix Vishing Group — Voice Phishing Targeting SharePoint Data Theft

A new threat actor tracked as ‘Helix’ is using voice-based phishing (vishing) to target Microsoft 365 users and steal SharePoint data. The attackers call targeted users, pose as IT support, and persuade them to disclose credentials or approve multi-factor authentication requests. Once they gain access, they target SharePoint document libraries for data theft. This is a growing attack vector: voice phishing bypasses email security controls and exploits human trust in phone-based support interactions.

Recommended action: Educate users about vishing attacks. Remind them that IT support will never ask for passwords or MFA codes over the phone. Implement number verification for help desk calls.


Ill Bloom — Crypto Wallet Vulnerability Drains $5M+ From 431 Wallets

Coinspect disclosed a crypto wallet flaw called ‘Ill Bloom’ that attackers are already using. The flaw is in how some wallet software generates its recovery phrase — when that phrase is made with weak randomness, an attacker can work it out and take everything it controls. A coordinated sweep on May 27 drained approximately $3.1 million from 431 wallets. A further $2.1 million in USDT was stolen from an exposed wallet afterward, pushing confirmed losses past $5 million. Wallets created on hardware devices are not affected. The real risk sits with older or lesser-known wallets, both mobile apps and browser extensions, some dating back to 2018.

Recommended action: Users of crypto wallets — especially older or lesser-known software wallets — should migrate to hardware wallets or well-known software wallets with verified randomness. Check if your wallet software has been affected by this vulnerability.


Injective SDK on npm — Cryptocurrency Wallet Stealer Disguised as Legitimate SDK

A malicious npm package disguised as the Injective SDK (a cryptocurrency development kit) has been found in the npm registry. The package infects systems with a cryptocurrency wallet stealer that targets browser extensions and software wallets. This is a supply chain attack targeting developers who work with the Injective blockchain ecosystem.

Recommended action: Developers should verify the npm package name and publisher before installing. Check npm audit for any suspicious packages. Only use the official Injective SDK from the verified publisher.


References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 10, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!