TL;DR
Datadog Security Labs reports multiple overlapping campaigns systematically enumerating corporate GitHub organizations and repositories through API abuse using dormant accounts. Microsoft disassembles GigaWiper, a Windows backdoor bundling three destructive payloads: disk wiper, fake ransomware, and spyware. npm version 12 disables install scripts by default to counter supply-chain attacks.
Executive Summary
- Attackers are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API using dormant accounts and custom user agents to evade detection.
- Microsoft has identified GigaWiper, a destructive Windows backdoor that bundles three older malware tools—disk wiper, fake ransomware generator, and spyware—as operator-selectable commands.
- GitHub released npm version 12 disabling install scripts by default and deprecating granular access tokens designed to bypass two-factor authentication, closing supply-chain attack vectors.
- The Injective Labs SDK on npm was compromised, publishing a malicious package that stole cryptocurrency wallet private keys and seed phrases.
- A new data-extortion group called Helix is using voice phishing, device code phishing, and MFA abuse to steal data from SharePoint environments.
Top Threats Today
1. GitHub API Enumeration Campaign via Dormant Accounts
Severity: HIGH Affected: Technology
Datadog Security Labs is warning of several overlapping campaigns that are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API [1]. Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging dormant GitHub accounts to blend in and avoid detection [1].
Sources:[1] The Hacker News
Recommended Action
- Audit GitHub API access logs for unusual enumeration patterns, especially from dormant or infrequently used accounts.
- Review GitHub organization settings to restrict API access and implement rate limiting on sensitive endpoints.
- Monitor for account creation and authentication anomalies across corporate GitHub instances.
- Enable GitHub audit logging and correlate with identity provider (IdP) authentication events.
2. GigaWiper: Destructive Windows Backdoor Combining Disk Wipe, Ransomware, and Spyware
Severity: HIGH Affected: Technology
Microsoft has disassembled a destructive Windows backdoor it calls GigaWiper, which stands out for combining three older destructive programs into a single tool offering operator-selectable commands [1]. Each payload provides a different attack vector: full disk wipe, fake ransomware generation, and spyware functionality ⚠[1].
Sources:[1] The Hacker News
Recommended Action
- Hunt for GigaWiper indicators of compromise across Windows endpoints using Microsoft telemetry and threat intelligence feeds.
- Implement application whitelisting and AppLocker policies to restrict execution of suspicious remote administration tools.
- Segment networks to isolate critical systems and enforce principle of least privilege for administrator credentials.
- Enable Windows Defender endpoint detection and response (EDR) and correlate with SIEM alerts.
3. npm Version 12 Disables Install Scripts; Supply-Chain Risk Mitigation
Severity: MEDIUM Affected: Technology
GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed ⚠ to bypass two-factor authentication (2FA) [1]. This addresses a long-standing supply-chain attack vector in Node.js ecosystems [1].
Sources:[1] The Hacker News
Recommended Action
- Update development environments and CI/CD pipelines to npm version 12.
- Audit any existing granular access tokens in use and migrate to token-based authentication requiring 2FA.
- Review npm dependencies for recent suspicious activity in package changelogs and maintainer accounts.
- Implement npm security scanning in the software composition analysis (SCA) pipeline.
4. Injective SDK Compromised on npm: Cryptocurrency Wallet Stealer
Severity: HIGH Affected: Technology
Hackers compromised the Injective Labs SDK project's GitHub repository and used it to publish a malicious package on the Node Package Manager (npm) that stole cryptocurrency wallet private keys and mnemonic seed phrases [1].
Sources:[1] BleepingComputer
Recommended Action
- Immediately rotate all cryptocurrency wallet credentials and keys used in development or deployment environments.
- Scan development machine history for execution of the malicious Injective SDK package.
- Audit npm dependencies in all projects for other trojanized packages; use SBOM tools to identify installation dates.
- Notify users and stakeholders of potential wallet exposure and advise emergency key rotation.
5. Helix Vishing Group Targets SharePoint with MFA Abuse
Severity: HIGH Affected: Technology
A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments [1].
Sources:[1] BleepingComputer
Recommended Action
- Review SharePoint access logs and data exfiltration events; correlate with MFA challenge patterns.
- Deploy conditional access policies to restrict SharePoint access to managed devices and trusted networks.
- Enable passwordless sign-in and require Windows Hello or FIDO2 keys to reduce vishing effectiveness.
- Train users on device code phishing and vishing tactics; establish internal verification procedures before credential requests.
Today’s Action Checklist
- ☐ URGENT: Audit GitHub API access logs for enumeration activity; isolate and review any dormant accounts with recent activity.
- ☐ URGENT: Hunt Windows endpoints for GigaWiper indicators; enable EDR and correlate with suspicious process execution and disk-write patterns.
- ☐ HIGH: Rotate cryptocurrency wallet credentials and keys if Injective SDK was used in development pipelines.
- ☐ HIGH: Review and revoke granular access tokens; update npm to version 12 in CI/CD and development environments.
- ☐ HIGH: Enforce conditional access policies on SharePoint; deploy device code phishing and vishing awareness training.