ShareFile Shutdown, Injective npm Theft & Entra Passkey Fraud (07/10/2026)

July 10, 2026
ShareFile Shutdown, Injective npm Theft & Entra Passkey Fraud (07/10/2026)
Key Intel / TL;DR
  • Progress told ShareFile customers to shut down their on-prem Storage Zone Controllers over a credible external threat, echoing the MOVEit playbook against a managed file transfer product.
  • Attackers compromised the Injective Labs GitHub repo and pushed a malicious npm package that steals wallet private keys and seed phrases.
  • A voice-based social engineering campaign tricks Microsoft 365 users into enrolling an attacker's Entra passkey for persistent access.
  • A crew left its own server exposed for three weeks, revealing WP-SHELLSTORM backdoors and a target list of over 1.4 million WordPress sites.
  • A Ryuk operator pleaded guilty and a Blackcat/AlphV conspirator drew nearly six years, part of a run of ransomware convictions.

Progress is telling ShareFile customers to power off their own servers, which tells you how bad the threat is before anyone has published a CVE. A poisoned Injective SDK on npm is draining crypto wallets, and attackers are calling Microsoft 365 users to walk them through enrolling a passkey that belongs to the attacker. The pattern this week is trust turned into a delivery mechanism: your file transfer vendor, your package registry, your own MFA enrollment flow.

Top 5 Critical Security Alerts

1. Progress Tells ShareFile Admins to Shut Down Storage Zone Controllers

Progress Software emailed ShareFile customers running on-premises Storage Zone Controllers to immediately shut the Windows servers down, citing a “credible external security threat” against the file-sharing product (The Hacker News, BleepingComputer). Progress is the company behind MOVEit, and a managed file transfer product is exactly the target Cl0p-style crews mine for mass data theft, so “turn it off” is the right call even at the cost of downtime.

Operator Note: If you run ShareFile Storage Zone Controllers on-prem, the containment step is the shutdown, not a patch you are waiting on. Assume data access, not just service disruption.

2. Injective Labs GitHub Compromise Pushes Wallet-Stealing npm Package

Threat actors compromised the Injective Labs SDK GitHub repository and used it to publish a malicious npm package that steals cryptocurrency wallet private keys and mnemonic seed phrases (The Hacker News, BleepingComputer). A trusted first-party SDK is a better delivery vehicle than any phishing email, because developers install it without a second look and ship it straight into production.

Operator Note: Pin dependencies to known-good versions and treat a first-party SDK update like untrusted code until you have diffed it. The registry is not a trust boundary.

3. Exposed Server Reveals WP-SHELLSTORM Backdooring WordPress at Scale

A cybercrime crew left one of its own servers open to the internet for three weeks, exposing its tooling, activity logs, and a target list naming more than 1.4 million WordPress sites seeded with WP-SHELLSTORM backdoors (The Hacker News). The target count is the ceiling, not the confirmed compromise total, but a persistent web-shell on a fraction of that list is a large pool of resold access.

4. Fake Microsoft Entra Passkey Enrollment Hands Over Microsoft 365

A threat actor is running voice-based social engineering that pushes Microsoft 365 users to enroll a new Entra passkey, then uses that attacker-controlled credential for data-extortion access (The Hacker News). This is the ugly turn in the passwordless story: enrolling an attacker’s passkey is phishing-resistant login for the attacker, and it survives the victim’s password reset.

Operator Note: Lock down who can self-enroll authentication methods and alert on new passkey registrations. Passwordless does not remove the enrollment step from the threat model.

5. Ryuk and AlphV Operators Face Prison in a Run of Ransomware Convictions

A man accused of deploying Ryuk pleaded guilty in Oregon federal court, while a Blackcat/AlphV conspirator drew a 70-month sentence in Florida, and a separate Florida ransomware negotiator was convicted for helping a gang extort US companies (The Record, TechCrunch). Convictions raise the personal cost of running these operations, though the affiliate model refills seats faster than courts empty them.

Additional Security Alerts

Threat Intelligence

  • Six New U-Boot Flaws Enable Boot-Time Code Execution: Binarly found six vulnerabilities in the U-Boot bootloader that starts routers, smart cameras, and server management chips, four of which can run code at boot for stealthy firmware attacks below the operating system. BleepingComputer

Security Breaches & Incidents

  • Miinto Confirms Order-System Breach: The Copenhagen fashion marketplace warned shoppers to watch for phishing after an intruder accessed its order management system. The Register

Cloud & Network Security

  • CISA Details Response to Exposed AWS GovCloud Keys: CISA published how it responded after sensitive AWS GovCloud credentials and internal data were committed to a public GitHub repository, a reminder that secrets in source control remain a top exposure path. Infosecurity Magazine

Emerging Security Technologies

  • Attacks on Healthcare Service Providers More Than Doubled: Cyberattacks on hospitals grew modestly in the first half of 2026, but attacks on the service providers and business associates behind them more than doubled, moving the pressure to the softer third-party layer. Dark Reading

The Axe Report is a daily briefing from Grab The Axe. Need help assessing your organization’s security posture? Take our free Human Attack Surface Score assessment.

Distribute Intel
Chris Armour
Director of Information Security
Chris Armour
The Breaker & Builder.

Operating on the philosophy that 'you can't build a secure system if you don't know how to break it,' Chris leads our engineering division. A top 1% National Cyber League competitor, he hardens our digital infrastructure against the very exploits he has mastered.

View Profile →
Press & Media

Media Inquiries

For expert commentary, interview requests, or high-res assets regarding this announcement, initialize the terminal.

Initialize Terminal

Initiate
Deployment.

Whether you need a full adversarial facility audit or an executive resilience protocol for your leadership team.

Secure the Facility (Assessments)
Secure the Mind (Coaching/Speaking)