Software Supply Chain Attacks Hit Developer Tools as Russian APT28 Expands Domestic Infrastructure

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> <em> Maintained from prior cycle. APT28 active C2 infrastructure now includes US-hosted nodes, CISA has issued a formal supply chain compromise alert targeting developer ecosystems, and building automation vulnerabilities affect state facilities. No escalation to HIGH warranted absent confirmed exploitation of state systems, but the convergence of supply chain, nation-state, and OT threats demands immediate defensive action. </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face an uncomfortable reality this week: the tools your developers trust are being weaponized against you, Russian military intelligence is hosting command-and-control servers on American soil, and the building automation systems keeping your facilities running have unpatched vulnerabilities with no established remediation timeline. </p> <p> On May 28, CISA issued a priority alert on software supply chain intrusions targeting CI/CD pipelines and developer tooling &mdash; specifically VS Code extensions and npm packages. Simultaneously, a live campaign is stealing AI coding tool credentials through a poisoned npm package downloaded 29,000+ times per week. For state agencies accelerating AI adoption in development workflows, this is not a theoretical risk &mdash; it is an active operation. </p> <p> This brief provides the intelligence your SOC, DevOps, and facilities teams need to act today. </p> <h2> <strong> What Changed (Past 72 Hours) </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> May 28, 2026 </p> </td> <td> <p> CISA issues supply chain alert: Nx Console VS Code extension compromised, GitHub repository intrusions confirmed </p> </td> <td> <p> State developer environments using VS Code and npm are directly exposed </p> </td> </tr> <tr> <td> <p> May 28, 2026 </p> </td> <td> <p> CISA publishes 7 ICS advisories including ABB EIBPORT and Schneider Electric EcoStruxure HVAC </p> </td> <td> <p> State building automation systems require firmware updates </p> </td> </tr> <tr> <td> <p> May 29, 2026 </p> </td> <td> <p> CISA adds new entry to Known Exploited Vulnerabilities (KEV) catalog </p> </td> <td> <p> Mandatory patching timeline triggered for FCEB; state agencies should mirror </p> </td> </tr> <tr> <td> <p> May 31, 2026 </p> </td> <td> <p> CHATTY SPIDER physical in-person pretexting confirmed </p> </td> <td> <p> All-technical-controls bypass via social engineering; front-line staff briefing required </p> </td> </tr> <tr> <td> <p> May 31, 2026 &ndash; June 1, 2026 </p> </td> <td> <p> 73 GlassWorm sleeper extensions confirmed on OpenVSX marketplace; 6 have activated malicious payloads </p> </td> <td> <p> Time-bomb approach defeats point-in-time scanning; developer extension inventories require immediate audit </p> </td> </tr> <tr> <td> <p> June 1, 2026 </p> </td> <td> <p> <strong> APT28 (Russian GRU) C2 infrastructure refreshed &mdash; 3 new high-confidence IPs including one US-hosted </strong> </p> </td> <td> <p> Domestic hosting defeats geographic filtering; behavioral detection required </p> </td> </tr> <tr> <td> <p> June 1, 2026 </p> </td> <td> <p> Aikido Security confirms active npm token theft campaign via codexui-android package </p> </td> <td> <p> AI coding tool credentials (OpenAI Codex) exfiltrated with non-expiring refresh tokens </p> </td> </tr> <tr> <td> <p> June 1, 2026 </p> </td> <td> <p> Microsoft resolves KB5089549 installation failure &mdash; fleet patching unblocked </p> </td> <td> <p> Windows 11 devices that failed patching can now proceed </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Actor / Campaign </strong> </p> </th> <th> <p> <strong> Activity </strong> </p> </th> <th> <p> <strong> Impact to State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> April 12, 2026 </p> </td> <td> <p> Unknown (BrutalStrike) </p> </td> <td> <p> Registration of anyclaw[.]store C2 domain </p> </td> <td> <p> Infrastructure staging for developer tool credential theft </p> </td> </tr> <tr> <td> <p> May 17&ndash;21, 2026 </p> </td> <td> <p> Unknown </p> </td> <td> <p> CVE-2026-0257 (Palo Alto GlobalProtect VPN) mass exploitation </p> </td> <td> <p> State VPN infrastructure at risk; patch verification required </p> </td> </tr> <tr> <td> <p> May 28, 2026 </p> </td> <td> <p> Unknown </p> </td> <td> <p> Nx Console VS Code extension compromised </p> </td> <td> <p> Developer workstations executing malicious JavaScript </p> </td> </tr> <tr> <td> <p> May 29, 2026 </p> </td> <td> <p> CISA </p> </td> <td> <p> KEV catalog update </p> </td> <td> <p> Patching clock starts for affected systems </p> </td> </tr> <tr> <td> <p> May 31, 2026 </p> </td> <td> <p> APT28 (Russia/GRU) </p> </td> <td> <p> Fresh C2 at 103.213.112[.]252 activated (97% confidence) </p> </td> <td> <p> Government network targeting infrastructure live </p> </td> </tr> <tr> <td> <p> May 31, 2026 </p> </td> <td> <p> CHATTY SPIDER </p> </td> <td> <p> Physical in-person pretexting confirmed </p> </td> <td> <p> All-technical-controls bypass via social engineering </p> </td> </tr> <tr> <td> <p> June 1, 2026 </p> </td> <td> <p> APT28 (Russia/GRU) </p> </td> <td> <p> 3 additional C2 IPs activated including US-based node </p> </td> <td> <p> Domestic infrastructure evades geo-based detection </p> </td> </tr> <tr> <td> <p> June 1, 2026 </p> </td> <td> <p> Unknown (BrutalStrike) </p> </td> <td> <p> codexui-android npm package actively exfiltrating Codex tokens </p> </td> <td> <p> State developers using AI tools face credential compromise </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Developer Tooling Supply Chain Under Coordinated Attack </strong> </h3> <p> Three distinct but converging campaigns are targeting the software development ecosystem: </p> <p> <strong> Campaign A &mdash; Nx Console VS Code Extension Compromise </strong> </p> <p> CISA's May 28 alert confirms that the popular Nx Console extension for VS Code has been compromised, enabling attackers to execute malicious JavaScript on developer workstations and pivot into GitHub repositories. This is a trusted-relationship attack (ATT&amp;CK T1199) &mdash; developers install extensions expecting them to be safe. </p> <p> <strong> Campaign B &mdash; codexui-android npm Token Theft </strong> </p> <p> A malicious npm package (codexui-android) with 29,000+ weekly downloads is exfiltrating OpenAI Codex authentication tokens &mdash; including refresh tokens that never expire. Stolen tokens are sent to sentry.anyclaw[.]store, a domain masquerading as the legitimate Sentry error-tracking service. The credential cache at ~/.codex/auth.json is the target file. </p> <p> <strong> Campaign C &mdash; GlassWorm Sleeper Extensions </strong> </p> <p> 73 extensions on the OpenVSX marketplace are confirmed "sleepers" &mdash; benign at installation, they activate malicious payloads only after a subsequent update. Six have already activated. This time-bomb approach defeats point-in-time security scanning. </p> <p> <strong> Why this matters for state government: </strong> Any agency with development teams using VS Code, npm packages, or AI coding assistants (Codex, Copilot, or similar) is in the blast radius. Stolen tokens provide persistent, silent access to connected code repositories, internal documentation, and any service authenticated through the compromised identity. </p> <h3> <strong> 2. APT28 (Russian GRU) &mdash; US-Hosted Command and Control </strong> </h3> <p> APT28 (also known as Fancy Bear, Forest Blizzard, Sofacy) has refreshed its command-and-control infrastructure with three new high-confidence indicators, including a node hosted within the United States at 143.20.185[.]242. </p> <p> <strong> Why domestic hosting matters: </strong> Most state network security architectures include geographic filtering that flags or blocks connections to known adversary-hosting countries. A US-based C2 server bypasses this entirely. Connections from state endpoints to this IP would appear as normal domestic traffic. Detection must shift from IP reputation to behavioral analysis &mdash; specifically monitoring for application-layer protocol abuse (T1071) and non-standard port usage (T1571). </p> <p> An additional hash (cb23dbc0a61019d3e1c8a5c3d07a3a09) carries dual attribution to both APT28 and APT27 (China), suggesting possible shared tooling or deliberate false-flag operations. Both attributions are preserved pending further evidence. </p> <h3> <strong> 3. Building Automation Vulnerabilities &mdash; ABB and Schneider Electric </strong> </h3> <p> CISA published ICS advisories on May 28 affecting systems commonly deployed in state government facilities: </p> <ul> <li> <strong> ABB EIBPORT </strong> (ICSA-26-148-03): Building automation controller &mdash; firmware update required </li> <li> <strong> Schneider Electric EcoStruxure Machine Expert HVAC </strong> (ICSA-26-148-07): HVAC management platform vulnerability </li> <li> <strong> ABB Busch-Welcome 2 Wire Door Opener Actuator </strong> (ICSA-26-148-04): Physical access control vulnerability </li> </ul> <p> No confirmed exploitation exists, but these systems typically lack established patch cycles in state facilities. An attacker exploiting these vulnerabilities could manipulate building controls (T0831), modify operational parameters (T0836), or send unauthorized commands (T0855) &mdash; with potential impacts ranging from HVAC disruption to physical access control bypass. </p> <h3> <strong> 4. Persistent Threats &mdash; Unchanged but Active </strong> </h3> <p> The following threats from prior cycles remain active and require continued vigilance: </p> <table> <thead> <tr> <th> <p> <strong> Actor </strong> </p> </th> <th> <p> <strong> Origin </strong> </p> </th> <th> <p> <strong> Status </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> APT28 </p> </td> <td> <p> Russia/GRU </p> </td> <td> <p> Active C2 expansion (this cycle) </p> </td> </tr> <tr> <td> <p> APT42 </p> </td> <td> <p> Iran/IRGC-IO </p> </td> <td> <p> Active; no new state gov indicators </p> </td> </tr> <tr> <td> <p> Kimsuky/APT43 </p> </td> <td> <p> DPRK </p> </td> <td> <p> Active; VS Code tunneling TTP previously detected </p> </td> </tr> <tr> <td> <p> Void Blizzard/COZY BEAR </p> </td> <td> <p> Russia/SVR </p> </td> <td> <p> Active; government targeting continues </p> </td> </tr> <tr> <td> <p> PUNK SPIDER (Akira) </p> </td> <td> <p> Criminal </p> </td> <td> <p> Updated today; no new state/local victims </p> </td> </tr> <tr> <td> <p> ROYAL SPIDER (BlackSuit) </p> </td> <td> <p> Criminal </p> </td> <td> <p> Updated today; no new state/local victims </p> </td> </tr> <tr> <td> <p> CHATTY SPIDER (Silent Ransom) </p> </td> <td> <p> Criminal </p> </td> <td> <p> Physical pretexting confirmed May 31 </p> </td> </tr> <tr> <td> <p> DragonForce </p> </td> <td> <p> Criminal </p> </td> <td> <p> Active </p> </td> </tr> <tr> <td> <p> TEMP.Hex </p> </td> <td> <p> Unknown </p> </td> <td> <p> Tracked </p> </td> </tr> </tbody> </table> <p> <strong> Notable absence: </strong> Volt Typhoon and Salt Typhoon (China) have produced zero indicators across multiple collection cycles. Given their documented focus on US critical infrastructure pre-positioning, operational silence is consistent with long-dwell operations rather than inactivity. This warrants proactive hunting, not complacency. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional supply chain attacks targeting developer tooling (VS Code, npm, AI assistants) </p> </td> <td> <p> <strong> 70% (HIGH) </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> <strong> Three concurrent campaigns indicate coordinated ecosystem targeting; low barrier to entry for copycat attacks </strong> </p> </td> </tr> <tr> <td> <p> APT28 uses US-hosted infrastructure for phishing or credential harvesting against government targets </p> </td> <td> <p> <strong> 50% (MODERATE) </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Domestic hosting reduces detection; historical pattern of government targeting </p> </td> </tr> <tr> <td> <p> Ransomware group (Akira or BlackSuit) hits a state/local government entity </p> </td> <td> <p> <strong> 45% (MODERATE) </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Both groups updated today with active operations; state/local gov is a documented target vertical </p> </td> </tr> <tr> <td> <p> CHATTY SPIDER physical pretexting attempt against a state agency </p> </td> <td> <p> <strong> 35% (MODERATE) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Technique confirmed May 31; state agencies with public-facing offices are accessible targets </p> </td> </tr> <tr> <td> <p> Volt Typhoon/Salt Typhoon indicators surface revealing pre-positioned access in US infrastructure </p> </td> <td> <p> <strong> 20% (LOW) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Operational silence consistent with long-dwell; detection depends on network anomaly hunting </p> </td> </tr> <tr> <td> <p> Exploitation of ABB/Schneider building automation vulnerabilities in state facilities </p> </td> <td> <p> <strong> 15% (LOW) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> No confirmed exploitation; requires network access to OT segment </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> Hunt Hypothesis 1: Developer Workstation Compromise via Supply Chain </strong> </p> <ul> <li> <strong> What to look for: </strong> Outbound connections from developer workstations to sentry.anyclaw[.]store or any *.anyclaw[.]store subdomain. File access to ~/.codex/auth.json by non-Codex processes. Installation of npm package codexui-android. </li> <li> <strong> ATT&amp;CK techniques: </strong> T1195.002 (Supply Chain Compromise), T1528 (Steal Application Access Token), T1567.002 (Exfiltration to Cloud Storage), T1059.007 (JavaScript Execution) </li> <li> <strong> Detection logic: </strong> DNS queries or proxy logs for anyclaw[.]store; EDR file access telemetry for auth.json in user home directories; npm audit logs showing codexui-android in any package-lock.json </li> </ul> <p> <strong> Hunt Hypothesis 2: APT28 C2 Communication </strong> </p> <ul> <li> <strong> What to look for: </strong> Any network connection (inbound or outbound) to 45.71.14[.]204, 209.99.185[.]239, or 143.20.185[.]242. Particular attention to the US-based IP which will not trigger geo-anomaly alerts. </li> <li> <strong> ATT&amp;CK techniques: </strong> T1071 (Application Layer Protocol), T1571 (Non-Standard Port) </li> <li> <strong> Detection logic: </strong> Firewall/proxy logs for connections to listed IPs on any port. EDR process-to-network correlation for any process communicating with these IPs. Alert on non-standard port usage (anything other than 80/443) to the US-based IP specifically. </li> </ul> <p> <strong> Hunt Hypothesis 3: VS Code Extension Abuse </strong> </p> <ul> <li> <strong> What to look for: </strong> VS Code extensions sourced from OpenVSX (not Microsoft Marketplace). Extensions with recent updates that added network communication capabilities. VS Code Remote Tunnels being used as C2 channels (previously observed with Kimsuky). </li> <li> <strong> ATT&amp;CK techniques: </strong> T1195.002 (Supply Chain Compromise), T1059.007 (JavaScript), T1572 (Protocol Tunneling) </li> <li> <strong> Detection logic: </strong> Enumerate installed extensions across developer fleet; flag any from OpenVSX. Monitor for code tunnel process spawning or VS Code establishing persistent outbound WebSocket connections to non-Microsoft domains. </li> </ul> <h3> <strong> Blocking Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> IOC Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.71.14[.]204 </p> </td> <td> <p> APT28 C2 &mdash; confidence 91% </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 209.99.185[.]239 </p> </td> <td> <p> APT28 C2 &mdash; confidence 98% </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 143.20.185[.]242 </p> </td> <td> <p> APT28 C2 (US-hosted) &mdash; confidence 98% </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> sentry.anyclaw[.]store </p> </td> <td> <p> npm token exfiltration C2 </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> anyclaw[.]store </p> </td> <td> <p> Parent domain for token theft infrastructure </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> cb23dbc0a61019d3e1c8a5c3d07a3a09 </p> </td> <td> <p> APT28/APT27 dual-attributed malware </p> </td> </tr> </tbody> </table> <p> <em> Additional IOCs &mdash; including file hashes associated with the campaigns described in this report &mdash; are available through Anomali ThreatStream Next-Gen and partner feeds. Query ThreatStream Next-Gen for APT28, BrutalStrike, and GlassWorm indicator sets. </em> </p> <h3> <strong> Monitoring Adjustments </strong> </h3> <ol> <li> <strong> Increase logging verbosity </strong> on developer workstations for npm install/update operations and VS Code extension lifecycle events </li> <li> <strong> Enable DNS query logging </strong> if not already active &mdash; critical for detecting C2 callbacks to anyclaw[.]store variants </li> <li> <strong> Review geo-based alerting rules </strong> &mdash; confirm that behavioral detection (non-standard ports, unusual process-to-network mappings) supplements IP reputation for domestic-hosted threats </li> <li> <strong> OT/BAS network monitoring </strong> &mdash; confirm segmentation between IT and building automation networks; alert on any cross-segment traffic to ABB or Schneider controllers </li> </ol> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Benefits Processing) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Credential theft via supply chain (codexui-android) could compromise developer access to financial transaction systems </li> <li> <strong> Action: </strong> Audit any development teams building or maintaining benefits processing, tax filing, or payment systems for npm dependency hygiene. Ensure service accounts for financial APIs use hardware-bound credentials (FIDO2/WebAuthn) rather than bearer tokens </li> <li> <strong> Monitor: </strong> Unusual API call patterns to financial SaaS platforms (Salesforce, ServiceNow) that could indicate stolen token reuse </li> </ul> <h3> <strong> Energy &amp; Utilities (Water/Wastewater SCADA, Building Automation) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ABB EIBPORT and Schneider Electric EcoStruxure vulnerabilities (ICSA-26-148-03, ICSA-26-148-07) directly affect operational technology </li> <li> <strong> Action: </strong> Verify network segmentation between IT and OT/BAS networks. Confirm that building automation controllers are not internet-accessible. Schedule firmware updates within 7 days for affected ABB and Schneider systems </li> <li> <strong> Monitor: </strong> Any new connections to building automation controller IP ranges from IT network segments; unauthorized parameter changes in HVAC or water treatment systems </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware groups (Akira, BlackSuit) actively target healthcare; CHATTY SPIDER physical pretexting could target facilities with public waiting areas </li> <li> <strong> Action: </strong> Verify offline backup integrity for Medicaid enrollment and claims processing systems. Brief front-desk and reception staff on social engineering pretexting scenarios &mdash; attackers posing as IT support or vendor representatives </li> <li> <strong> Monitor: </strong> Unusual after-hours RDP/VPN connections to systems containing PHI; callback phishing attempts (voicemail-themed emails directing staff to call attacker-controlled numbers) </li> </ul> <h3> <strong> Government (Executive Branch Agencies, Elections) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> APT28 (Russia/GRU) active C2 expansion with US-hosted infrastructure; nation-state espionage targeting government credentials </li> <li> <strong> Action: </strong> Block all three APT28 IPs immediately. Review Azure AD/Entra ID sign-in logs for any authentication from the listed IP ranges. Confirm MFA enforcement on all privileged accounts with no exceptions </li> <li> <strong> Monitor: </strong> Impossible-travel alerts in identity provider; service principal credential usage outside normal automation windows; any connection to APT28 infrastructure from state network ranges </li> </ul> <h3> <strong> Aviation &amp; Logistics (State DOT, Airport Authorities, Fleet Management) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Supply chain compromise of CI/CD pipelines could affect transportation management systems; ICS vulnerabilities in traffic management controllers </li> <li> <strong> Action: </strong> Audit GitHub Actions workflows for any use of mutable version tags (use commit SHA pinning instead). Review network segmentation for traffic management and fleet tracking systems </li> <li> <strong> Monitor: </strong> Unusual commits or workflow runs in transportation system repositories; any lateral movement from IT networks toward traffic management or fleet GPS systems </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 🔴 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block APT28 C2 IPs at perimeter firewall, proxy, and EDR: 45.71.14[.]204, 209.99.185[.]239, 143.20.185[.]242. Deploy hash block for cb23dbc0a61019d3e1c8a5c3d07a3a09 (MD5). Retrieve additional file hashes from ThreatStream Next-Gen APT28 indicator set </p> </td> </tr> <tr> <td> <p> 🔴 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block DNS resolution for sentry.anyclaw[.]store and anyclaw[.]store at DNS resolver and web proxy </p> </td> </tr> <tr> <td> <p> 🔴 </p> </td> <td> <p> DevOps </p> </td> <td> <p> Scan all developer workstations and CI/CD pipelines for npm package codexui-android. If found: isolate machine, revoke all associated tokens, rotate credentials </p> </td> </tr> <tr> <td> <p> 🔴 </p> </td> <td> <p> DevOps </p> </td> <td> <p> Check for ~/.codex/auth.json on developer machines &mdash; if any OpenAI/Codex tokens exist, revoke and reissue immediately </p> </td> </tr> <tr> <td> <p> 🔴 </p> </td> <td> <p> IT Security </p> </td> <td> <p> Brief help desk and reception staff on CHATTY SPIDER physical pretexting: attackers arriving in person posing as IT vendors or support staff to gain physical access </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 🟠 </p> </td> <td> <p> DevOps </p> </td> <td> <p> Implement VS Code extension allowlisting &mdash; restrict to Microsoft Marketplace verified publishers only. Remove any extensions sourced from OpenVSX pending security review </p> </td> </tr> <tr> <td> <p> 🟠 </p> </td> <td> <p> DevOps </p> </td> <td> <p> Pin all npm dependencies to exact versions with integrity hashes (npm shrinkwrap or lockfile-lint). Enable npm audit in CI/CD pipelines as a blocking gate </p> </td> </tr> <tr> <td> <p> 🟠 </p> </td> <td> <p> Facilities IT </p> </td> <td> <p> Deploy firmware updates for ABB EIBPORT controllers (ICSA-26-148-03), Schneider Electric EcoStruxure HVAC (ICSA-26-148-07), and ABB Busch-Welcome door actuators (ICSA-26-148-04) </p> </td> </tr> <tr> <td> <p> 🟠 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Deploy KB5089573 to Windows 11 fleet. Identify devices with &le;10MB free EFI System Partition space that may have failed KB5089549 and remain unpatched </p> </td> </tr> <tr> <td> <p> 🟠 </p> </td> <td> <p> SOC </p> </td> <td> <p> Implement behavioral detection for non-standard port communication (T1571) to US-based IP ranges &mdash; geo-filtering alone is insufficient for domestically-hosted APT28 infrastructure </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 🟡 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission assessment of AI coding tool adoption across all state agencies. Establish approved tools list, mandate OS credential store over plaintext file caching, and define token rotation policy (maximum 90-day lifetime for refresh tokens) </p> </td> </tr> <tr> <td> <p> 🟡 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Establish OT/BAS patch management SLA (recommend 30-day maximum for critical ICS advisories). Formalize coordination between IT security and facilities management for building automation patching </strong> </p> </td> </tr> <tr> <td> <p> 🟡 </p> </td> <td> <p> CISO </p> </td> <td> <p> Procure supplementary OSINT intelligence feed to restore multi-source corroboration capability. Current single-source dependency on one commercial feed degrades confidence in threat assessments. Budget estimate: $15&ndash;40K/year </p> </td> </tr> <tr> <td> <p> 🟡 </p> </td> <td> <p> IR Team </p> </td> <td> <p> Conduct tabletop exercise simulating supply chain compromise of a developer tool leading to code repository access and lateral movement to production systems </p> </td> </tr> <tr> <td> <p> 🟡 </p> </td> <td> <p> SOC </p> </td> <td> <p> Initiate proactive threat hunt for Volt Typhoon / Salt Typhoon indicators across state network infrastructure &mdash; focus on living-off-the-land techniques in network edge devices (routers, VPN concentrators, firewalls) </p> </td> </tr> </tbody> </table> <h2> <strong> Executive Preparedness Checklist </strong> </h2> <p> For CIOs and CISOs &mdash; actions that require leadership decision-making: </p> <ul> <li> [ ] <strong> Budget decision: </strong> Approve OSINT feed procurement ($15&ndash;40K/year) to restore intelligence corroboration capability &mdash; degraded for 3 consecutive cycles </li> <li> [ ] <strong> Policy decision: </strong> Establish AI coding tool governance policy before adoption outpaces security controls </li> <li> [ ] <strong> Organizational decision: </strong> Define OT/BAS security ownership &mdash; who is responsible for patching building automation systems? </li> <li> [ ] <strong> Risk acceptance decision: </strong> Document and accept (or mitigate) the risk of developer workstations with unmanaged npm dependencies and VS Code extensions </li> <li> [ ] <strong> Communication decision: </strong> Determine whether physical social engineering advisory (CHATTY SPIDER) requires all-staff communication or targeted briefing to front-line personnel </li> </ul> <h2> <strong> Bottom Line </strong> </h2> <p> Three converging threat vectors define this cycle: a coordinated supply chain assault on developer tooling (Nx Console, GlassWorm sleepers, codexui-android), Russian GRU infrastructure expansion onto US soil that defeats geographic filtering, and unpatched building automation systems with no established remediation SLA. Each vector is independently actionable today. The APT28 IPs can be blocked in minutes. The malicious npm package can be detected with a single audit command. The ICS firmware updates are available now. Inaction converts intelligence into an incident report. </p> <h2> <strong> Closing </strong> </h2> <p> The convergence of supply chain attacks on developer tooling, nation-state infrastructure expansion onto US soil, and unpatched building automation systems creates a threat environment where traditional perimeter defenses are insufficient. Your developers' npm packages are being weaponized. Your geographic filtering rules are being bypassed. Your building controllers have no patch SLA. </p> <p> The good news: every threat identified today has a concrete, actionable defensive response. The APT28 IPs can be blocked in minutes. The malicious npm package can be detected with a single audit command. The ICS patches are available now. </p> <p> The question is not whether your state has the capability to defend against these threats &mdash; it is whether you will act on this intelligence before it becomes an incident report. </p> <p> Block the IOCs. Audit the developers. Patch the buildings. Brief the staff. </p> <p> <em> Anomali CTI Desk | Published June 1, 2026 </em> </p> <p> <em> Intelligence sources: CISA Advisories, Anomali ThreatStream, Aikido Security, Microsoft Security Response Center </em> </p> <p> <em> Next update: June 2, 2026 </em> </p>