Supply Chain Worms, AI Tooling Weaponization, and the Expanding Attack Surface for State Government Networks

<p> <strong> Threat Assessment Level: ELEVATED </strong> (trending toward HIGH) </p> <h2> <strong> Executive Summary </strong> </h2> <p> State government IT leaders face an unprecedented convergence of supply chain attacks, identity infrastructure exploitation, and novel persistence techniques targeting developer tooling and AI coding assistants. In the past 48 hours, a self-propagating npm worm compromised hundreds of packages &mdash; including libraries with over one million weekly downloads &mdash; while a separate VS Code extension compromise demonstrated the ability to forge cryptographic supply chain provenance attestations. Simultaneously, Russian intelligence services have forced NATO allies to abandon Signal for government communications, and Siemens issued seven new ICS advisories affecting systems deployed in state water and transportation infrastructure. </p> <p> This is not theoretical. If your developers ran npm install on affected packages in the last 24 hours, credentials have already been exfiltrated. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> Development </p> </th> <th> <p> Date </p> </th> <th> <p> Impact to State Government </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Mini Shai-Hulud npm worm &mdash; Wave 3 </strong> (@antv ecosystem, echarts-for-react, timeago.js) </p> </td> <td> <p> May 19 </p> </td> <td> <p> Any state developer using affected packages has had CI/CD secrets, npm tokens, and cloud credentials stolen. Worm self-propagates using stolen tokens. </p> </td> </tr> <tr> <td> <p> <strong> Nx Console VS Code extension compromise </strong> (2.2M installs) </p> </td> <td> <p> May 18 </p> </td> <td> <p> 11-minute exposure window. Harvests 1Password vaults, AWS/GitHub/npm credentials. Introduces Sigstore provenance forgery &mdash; defeating "verify before deploy" controls. </p> </td> </tr> <tr> <td> <p> <strong> Poland officially abandons Signal </strong> for government communications </p> </td> <td> <p> May 19 </p> </td> <td> <p> Russian APT campaigns using QR code device-linking attacks compromised officials' accounts. Germany and Netherlands taking parallel action. Direct precedent for state executive communications policy. </p> </td> </tr> <tr> <td> <p> <strong> Siemens ICS advisory batch </strong> &mdash; 7 advisories (Ruggedcom ROX, SIMATIC CN 4100, gWAP, Universal Robots) </p> </td> <td> <p> May 14 </p> </td> <td> <p> Ruggedcom ROX and SIMATIC CN 4100 deployed in state DOT and water treatment infrastructure. Input validation and RCE vulnerabilities. </p> </td> </tr> <tr> <td> <p> <strong> ClickFix/FileFix/ConsentFix evolution </strong> documented with DPRK attribution </p> </td> <td> <p> May 18 </p> </td> <td> <p> Social engineering attacks that operate within browser/identity workflows, bypassing endpoint security and MFA. Targets state employee credentials. </p> </td> </tr> <tr> <td> <p> <strong> China-nexus IOC refresh </strong> &mdash; CIRCUITPANDA + EMISSARY PANDA (APT27); CVE-2025-53690 exploited in Sitecore deploying WeepSteel backdoor </p> </td> <td> <p> May 17&ndash;18 </p> </td> <td> <p> Active operational preparation against government targets; government portal compromise via CMS exploitation. </p> </td> </tr> </tbody> </table> <p> <strong> Threat level rationale: </strong> Maintained at ELEVATED (unchanged from May 18). The npm supply chain worm represents active compromise of developer ecosystems, but no confirmed state government network breach has been reported. Escalation to HIGH would be triggered by confirmed exploitation of state infrastructure or active ransomware targeting. </p> <h2> <strong> Conflict and Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> Date </p> </th> <th> <p> Event </p> </th> <th> <p> Actor/Attribution </p> </th> <th> <p> Relevance </p> </th> </tr> </thead> <tbody> <tr> <td> <p> May 14 </p> </td> <td> <p> Siemens ICS advisory batch (7 advisories) </p> </td> <td> <p> N/A (vulnerability disclosure) </p> </td> <td> <p> State water/transportation OT infrastructure </p> </td> </tr> <tr> <td> <p> May 15 </p> </td> <td> <p> CISA KEV addition </p> </td> <td> <p> N/A </p> </td> <td> <p> Patch prioritization signal </p> </td> </tr> <tr> <td> <p> May 17 </p> </td> <td> <p> CVE-2025-53690 Sitecore CMS exploitation with WeepSteel backdoor </p> </td> <td> <p> China-nexus (prior cycle) </p> </td> <td> <p> Government portal compromise </p> </td> </tr> <tr> <td> <p> May 17 </p> </td> <td> <p> NightshadeC2 botnet introduces UAC Prompt Bombing </p> </td> <td> <p> Unattributed criminal </p> </td> <td> <p> EDR evasion technique </p> </td> </tr> <tr> <td> <p> May 18 </p> </td> <td> <p> CIRCUITPANDA + EMISSARY PANDA (APT27) IOC refresh </p> </td> <td> <p> China-nexus </p> </td> <td> <p> Active operational preparation against government targets </p> </td> </tr> <tr> <td> <p> May 18 </p> </td> <td> <p> Tycoon2FA OAuth device code phishing confirmed active </p> </td> <td> <p> Criminal/nation-state convergence </p> </td> <td> <p> Bypasses MFA on M365 tenants </p> </td> </tr> <tr> <td> <p> May 18 </p> </td> <td> <p> Nx Console VS Code extension compromise (11-min window) </p> </td> <td> <p> Unattributed </p> </td> <td> <p> Developer credential theft + Sigstore forgery </p> </td> </tr> <tr> <td> <p> May 18 </p> </td> <td> <p> Bridewell documents ClickFix/FileFix/ConsentFix evolution </p> </td> <td> <p> DPRK-linked </p> </td> <td> <p> Credential theft bypassing endpoint controls </p> </td> </tr> <tr> <td> <p> May 19 </p> </td> <td> <p> Mini Shai-Hulud npm worm Wave 3 (@antv ecosystem) </p> </td> <td> <p> Unattributed </p> </td> <td> <p> Active supply chain worm stealing CI/CD secrets </p> </td> </tr> <tr> <td> <p> May 19 </p> </td> <td> <p> Poland abandons Signal for government use </p> </td> <td> <p> Russian APT (Polish/Dutch/German intel) </p> </td> <td> <p> Executive communications security precedent </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Mini Shai-Hulud: A Self-Propagating npm Supply Chain Worm </strong> </h3> <p> This is the third and largest wave of a worm campaign that has escalated from SAP packages to TanStack to now Alibaba's @antv visualization ecosystem. The campaign compromised hundreds of packages including echarts-for-react (1.1 million weekly downloads) and timeago.js. </p> <p> <strong> How it works: </strong> </p> <ul> <li> Malicious preinstall hook executes JavaScript at package installation time </li> <li> Steals CI/CD secrets, npm tokens, AWS credentials, and GitHub tokens from the developer's environment </li> <li> Plants persistence in .vscode/tasks.json and .claude/settings.json (AI coding assistant configs) </li> <li> Self-propagates by republishing infected packages using stolen npm tokens </li> <li> Exfiltrates to C2 domain t.m-kosche[.]com </li> </ul> <p> <strong> Why this matters for state government: </strong> Any citizen portal, internal application, or shared service built with Node.js that pulls from the npm ecosystem is potentially affected. The worm's self-propagating nature means a single infected dependency can cascade across your entire build pipeline. </p> <p> <strong> ATT&amp;CK Techniques: </strong> <strong> T1195.002 </strong> (Supply Chain Compromise), <strong> T1059.007 </strong> (JavaScript Execution), <strong> T1552.001 </strong> (Credentials in Files), <strong> T1567.001 </strong> (Exfiltration to Code Repository), <strong> T1137 </strong> (Office Application Startup &mdash; via IDE config) </p> <h3> <strong> 2. Nx Console Compromise and Sigstore Provenance Forgery </strong> </h3> <p> A separate but related supply chain attack compromised the Nx Console VS Code extension (2.2 million installs) on May 18 through stolen developer credentials. The 11-minute exposure window delivered a 498KB obfuscated stealer that harvests 1Password vaults, AWS/GitHub/npm credentials, and Anthropic Claude Code configurations. </p> <p> <strong> The critical innovation: </strong> The attacker integrated Sigstore &mdash; the industry-standard supply chain provenance system &mdash; to sign malicious packages with valid cryptographic attestations. This means packages that pass SLSA provenance verification may still be compromised. Organizations that adopted "verify provenance before deploy" as their supply chain security control now have a gap. </p> <p> <strong> Indicators of compromise: </strong> </p> <ul> <li> File: ~/.local/share/kitty/cat.py (macOS backdoor) </li> <li> File: ~/Library/LaunchAgents/com.user.kitty-monitor.plist (persistence) </li> <li> Extension: rwl.angular-console v18.95.0 </li> <li> Behavior: Avoids execution on Russian/CIS timezone machines </li> </ul> <h3> <strong> 3. Russian APT Signal Campaigns Force Government Policy Changes </strong> </h3> <p> Poland's Ministry of Digital Affairs has instructed all government officials to cease using Signal for sensitive communications following sustained Russian APT campaigns. The attacks use social engineering &mdash; fake support staff and malicious QR codes &mdash; to link attacker-controlled devices to victims' Signal accounts, providing persistent access to all future messages. </p> <p> Germany (migrating Bundestag to Wire) and the Netherlands (AIVD/MIVD confirmed compromises) are taking parallel action. This is not a Signal vulnerability &mdash; it is a social engineering attack exploiting the device-linking feature present in all modern messaging platforms. </p> <p> <strong> Relevance to state government: </strong> If any state executives, legislators, or agency heads use Signal, WhatsApp, or similar apps for official business, they are vulnerable to identical attacks. The attack requires no malware &mdash; only convincing the target to scan a QR code. </p> <p> <strong> ATT&amp;CK Techniques: </strong> <strong> T1566.002 </strong> (Spearphishing Link), <strong> T1078 </strong> (Valid Accounts via device linking), <strong> T1656 </strong> (Impersonation) </p> <h3> <strong> 4. China-Nexus Actors in Active Preparation </strong> </h3> <p> From the prior cycle (May 18): CIRCUITPANDA and EMISSARY PANDA (APT27) simultaneously refreshed government-targeting malware indicators, signaling active operational preparation. APT27-associated IOCs (including Ramnit dropper variants) were confirmed active in ThreatStream intelligence feeds. Combined with the May 17 exploitation of CVE-2025-53690 in Sitecore CMS deploying the WeepSteel backdoor against government portals, China-nexus groups remain the primary nation-state espionage threat to state government networks. </p> <p> <strong> Critical absence: </strong> Volt Typhoon and Salt Typhoon &mdash; the Chinese groups specifically focused on pre-positioning in U.S. critical infrastructure &mdash; have shown no new indicators for four consecutive cycles. Given their documented focus on living-off-the-land techniques in network infrastructure (routers, firewalls, VPN concentrators), silence should be treated as a signal warranting proactive hunting, not reassurance. </p> <h3> <strong> 5. ICS/OT Vulnerability Exposure </strong> </h3> <p> Seven Siemens advisories published May 14 affect systems deployed in state government OT environments: </p> <ul> <li> <strong> Ruggedcom ROX </strong> (3 advisories): Input validation in Scheduler, feature key installation flaws, third-party vulnerabilities pre-v2.17.1. Deployed in state DOT network infrastructure. </li> <li> <strong> SIMATIC CN 4100 </strong> : Multiple vulnerabilities affecting availability, integrity, and confidentiality. Deployed in water treatment automation. </li> <li> <strong> gWAP </strong> : Remote code execution via third-party library. </li> <li> <strong> Universal Robots Polyscope 5 </strong> : Authentication bypass with code execution. </li> </ul> <p> No active exploitation has been confirmed for these specific advisories, but the combination of Volt Typhoon's known interest in water/transportation infrastructure and unpatched Siemens devices creates an unacceptable risk window. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> Scenario </p> </th> <th> <p> Probability </p> </th> <th> <p> Timeframe </p> </th> <th> <p> Basis </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional Mini Shai-Hulud waves targeting new npm namespaces </p> </td> <td> <p> <strong> 75% (HIGH) </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Campaign accelerating &mdash; each wave larger than the last. Worm has self-propagation capability. </p> </td> </tr> <tr> <td> <p> Canvas LMS breach (275M users) produces credential stuffing against state higher education portals </p> </td> <td> <p> <strong> 50% (MODERATE) </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Stolen credentials from large breaches historically appear in stuffing campaigns within 2-3 weeks. </p> </td> </tr> <tr> <td> <p> AI coding assistant configs exploited for persistent access in government developer environments </p> </td> <td> <p> <strong> 40% (MODERATE) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Two independent campaigns (Mini Shai-Hulud, Nx Console) now weaponize this vector. Technique will be adopted. </p> </td> </tr> <tr> <td> <p> Ransomware group targets a U.S. state/local government entity </p> </td> <td> <p> <strong> 35% (LOW-MODERATE) </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Three-cycle quiet period + active access brokers (HOOK SPIDER) suggests pre-positioning phase. </p> </td> </tr> <tr> <td> <p> Volt Typhoon/Salt Typhoon activity surfaces in U.S. state infrastructure </p> </td> <td> <p> <strong> 30% (LOW-MODERATE) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Four-cycle absence of indicators for groups known to be active. LOTL techniques are inherently difficult to detect. </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Hunting Hypotheses </strong> </h3> <p> <strong> Hypothesis 1: npm supply chain worm artifacts present on developer workstations </strong> </p> <ul> <li> <strong> Hunt for: </strong> Files matching .vscode/tasks.json with unexpected task definitions; .claude/settings.json with unauthorized modifications; ~/.local/share/kitty/cat.py; ~/Library/LaunchAgents/com.user.kitty-monitor.plist; processes with __DAEMONIZED=1 environment variable </li> <li> <strong> ATT&amp;CK: </strong> <strong> T1195.002 </strong> , <strong> T1137 </strong> , <strong> T1053 </strong> </li> <li> <strong> Data sources: </strong> EDR file creation events, process environment variable logging, LaunchAgent monitoring </li> </ul> <p> <strong> Hypothesis 2: C2 communication to Mini Shai-Hulud infrastructure </strong> </p> <ul> <li> <strong> Hunt for: </strong> DNS queries or HTTP connections to t.m-kosche[.]com from any endpoint </li> <li> <strong> ATT&amp;CK: </strong> <strong> T1071.001 </strong> </li> <li> <strong> Data sources: </strong> DNS logs, proxy logs, NDR/firewall logs </li> </ul> <p> <strong> Hypothesis 3: Signal device-linking attack against executives </strong> </p> <ul> <li> <strong> Hunt for: </strong> New linked devices appearing on executive Signal accounts; reports of "Signal support" contacts; QR codes received via email or messaging </li> <li> <strong> ATT&amp;CK: </strong> <strong> T1566.002 </strong> , <strong> T1078 </strong> , <strong> T1656 </strong> </li> <li> <strong> Data sources: </strong> User reporting, executive communications audit </li> </ul> <p> <strong> Hypothesis 4: Volt Typhoon living-off-the-land in network infrastructure </strong> </p> <ul> <li> <strong> Hunt for: </strong> Anomalous admin authentication to routers, firewalls, and VPN concentrators; unusual configuration changes; LOTL binary execution (certutil, netsh, wmic) on network management systems </li> <li> <strong> ATT&amp;CK: </strong> <strong> T1078 </strong> , <strong> T1059 </strong> , <strong> T1562.001 </strong> </li> <li> <strong> Data sources: </strong> Network device authentication logs, configuration change management, SIEM correlation </li> </ul> <h3> <strong> Detection Rules to Deploy </strong> </h3> <table> <thead> <tr> <th> <p> Rule </p> </th> <th> <p> ATT&amp;CK </p> </th> <th> <p> Priority </p> </th> </tr> </thead> <tbody> <tr> <td> <p> File creation in .claude/settings.json or .vscode/tasks.json by non-IDE processes </p> </td> <td> <p> <strong> T1137 </strong> </p> </td> <td> <p> <strong> IMMEDIATE </strong> </p> </td> </tr> <tr> <td> <p> preinstall script execution spawning network connections during npm install </p> </td> <td> <p> <strong> T1195.002 </strong> , <strong> T1059.007 </strong> </p> </td> <td> <p> <strong> IMMEDIATE </strong> </p> </td> </tr> <tr> <td> <p> DNS/HTTP to t.m-kosche[.]com </p> </td> <td> <p> <strong> T1071.001 </strong> </p> </td> <td> <p> <strong> IMMEDIATE </strong> </p> </td> </tr> <tr> <td> <p> Python process executing from ~/.local/share/kitty/ </p> </td> <td> <p> <strong> T1059.006 </strong> </p> </td> <td> <p> <strong> IMMEDIATE </strong> </p> </td> </tr> <tr> <td> <p> LaunchAgent creation matching com.user.kitty-monitor.plist </p> </td> <td> <p> <strong> T1053 </strong> </p> </td> <td> <p> <strong> IMMEDIATE </strong> </p> </td> </tr> <tr> <td> <p> OAuth device code flow from untrusted locations (Tycoon2FA) </p> </td> <td> <p> <strong> T1078 </strong> </p> </td> <td> <p> <strong> 7-DAY </strong> </p> </td> </tr> <tr> <td> <p> VS Code extension installation of rwl.angular-console </p> </td> <td> <p> <strong> T1195.002 </strong> </p> </td> <td> <p> <strong> 7-DAY </strong> </p> </td> </tr> </tbody> </table> <h3> <strong> Blocking Actions </strong> </h3> <ul> <li> Block domain t.m-kosche[.]com at DNS and proxy layers </li> <li> Block npm package installation from @antv, @lint-md, @openclaw-cn, @starmind namespaces until verified clean </li> <li> Block execution of rwl.angular-console extension version 18.95.0 </li> </ul> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Tax Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Credential theft via ClickFix/ConsentFix social engineering targeting finance staff with access to ERP and payment systems </li> <li> <strong> Action: </strong> Deploy conditional access policies requiring compliant devices for all financial system access; block OAuth device code flow entirely for finance user groups </li> <li> <strong> Monitor: </strong> Unusual bulk data access patterns in tax/revenue databases that could indicate pre-positioning for extortion </li> </ul> <h3> <strong> Energy (State-Regulated Utilities, Grid Operations) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Siemens ICS vulnerabilities in SCADA environments; Volt Typhoon pre-positioning </li> <li> <strong> Action: </strong> Prioritize Ruggedcom ROX upgrade to v2.17.1+ on all energy sector network devices; implement network segmentation audit between IT and OT zones </li> <li> <strong> Monitor: </strong> Anomalous authentication to SCADA HMI systems, especially from IT network segments; configuration changes to Siemens PLCs outside maintenance windows </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Rhysida ransomware (confirmed active this cycle targeting healthcare); credential theft for access to PII/PHI databases </li> <li> <strong> Action: </strong> Verify offline backup integrity for Medicaid enrollment and claims systems; ensure MFA cannot be bypassed via ConsentFix-style browser-based attacks </li> <li> <strong> Monitor: </strong> HOOK SPIDER access broker listings mentioning healthcare or state health domains; unusual RDP/VPN access to claims processing systems </li> </ul> <h3> <strong> Government (Executive Branch, Legislature, Law Enforcement) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Russian APT Signal/messaging compromise of officials; China-nexus espionage (APT27, CIRCUITPANDA) targeting policy systems </li> <li> <strong> Action: </strong> Brief all elected officials and senior appointees on QR code device-linking attacks; audit Signal/WhatsApp usage for official business; review Sitecore CMS deployments for CVE-2025-53690 exposure </li> <li> <strong> Monitor: </strong> New device registrations on executive accounts; anomalous access to pre-decisional policy documents; WeepSteel backdoor indicators on web-facing portals </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Port Authorities, Transit Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Siemens Ruggedcom ROX vulnerabilities in transportation network infrastructure; Volt Typhoon interest in transportation pre-positioning </li> <li> <strong> Action: </strong> Patch Ruggedcom ROX Scheduler and feature key vulnerabilities; audit Universal Robots Polyscope 5 deployments in automated logistics facilities </li> <li> <strong> Monitor: </strong> Configuration changes to traffic management systems; anomalous admin sessions on transportation SCADA networks; lateral movement from IT to OT segments </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🔴 </strong> </p> </td> <td> <p> DevOps </p> </td> <td> <p> Block npm package installation from @antv, @lint-md, @openclaw-cn, @starmind namespaces. Block C2 domain t.m-kosche[.]com at DNS/proxy. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> Hunt all developer workstations for: .vscode/tasks.json with unexpected tasks, .claude/settings.json modifications, cat.py in kitty directory, com.user.kitty-monitor.plist LaunchAgent. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 </strong> </p> </td> <td> <p> DevOps </p> </td> <td> <p> Audit VS Code extension versions &mdash; confirm no installation of rwl.angular-console v18.95.0 occurred during May 18 14:36&ndash;14:47 CEST. If found, rotate ALL credentials on affected machines immediately. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 </strong> </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Verify npm token rotation for all service accounts that interact with the npm registry. Revoke and reissue any tokens that may have been exposed. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🟠 </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> Brief executive communications team on Signal/messaging account compromise TTPs. Determine if state uses Signal for any official communications. Evaluate platform alternatives. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 </strong> </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Apply Siemens Ruggedcom ROX patches (upgrade to v2.17.1+) on all DOT/water infrastructure network devices. Prioritize SIMATIC CN 4100 patching. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 </strong> </p> </td> <td> <p> DevOps </p> </td> <td> <p> Implement npm package age-gating &mdash; refuse installation of any package version published less than 72 hours ago in CI/CD pipelines. Pin all GitHub Actions to commit SHAs. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> Verify M365 conditional access policies block OAuth device code flow from untrusted locations (Tycoon2FA mitigation). </p> </td> </tr> <tr> <td> <p> <strong> 🟠 </strong> </p> </td> <td> <p> IR Team </p> </td> <td> <p> Update incident response playbooks to include supply chain compromise scenarios &mdash; specifically npm worm propagation and IDE persistence cleanup procedures. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🟡 </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission assessment of AI coding assistant security posture &mdash; inventory all Claude Code, GitHub Copilot, and VS Code AI extension deployments across state agencies. Develop configuration integrity monitoring policy. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> Conduct proactive threat hunt for Volt Typhoon living-off-the-land indicators across network infrastructure (router configs, VPN concentrator logs, firewall admin sessions). Focus on anomalous admin authentication patterns. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> Review supply chain verification controls in light of Sigstore provenance forgery. Provenance signatures alone are no longer sufficient &mdash; implement multi-layer verification (provenance + behavioral analysis + age-gating). </p> </td> </tr> <tr> <td> <p> <strong> 🟡 </strong> </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Evaluate state government messaging platform policy. Document which platforms are authorized for which classification levels. Publish guidance based on Poland/Germany/Netherlands precedent. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 </strong> </p> </td> <td> <p> Governance </p> </td> <td> <p> Assess Canvas LMS exposure &mdash; determine which state higher education institutions use Canvas, whether credential reuse with state systems exists, and prepare for credential stuffing campaigns from the 275M-user breach. </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Table </strong> </h2> <p> The following indicators are confirmed from intelligence collection and should be actioned immediately: </p> <table> <thead> <tr> <th> <p> Type </p> </th> <th> <p> Value </p> </th> <th> <p> Context </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Domain </p> </td> <td> <p> t.m-kosche[.]com </p> </td> <td> <p> Mini Shai-Hulud npm worm C2/exfiltration </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 7cb42f57561c321ecb09b4552802ae0ac55b3a7a </p> </td> <td> <p> Malicious GitHub commit (exotic dependency reference) </p> </td> </tr> <tr> <td> <p> File Path </p> </td> <td> <p> ~/.local/share/kitty/cat.py </p> </td> <td> <p> Nx Console macOS backdoor </p> </td> </tr> <tr> <td> <p> File Path </p> </td> <td> <p> ~/Library/LaunchAgents/com.user.kitty-monitor.plist </p> </td> <td> <p> Nx Console persistence </p> </td> </tr> <tr> <td> <p> Package </p> </td> <td> <p> @antv/setup </p> </td> <td> <p> Malicious npm optional dependency </p> </td> </tr> <tr> <td> <p> Extension </p> </td> <td> <p> rwl.angular-console v18.95.0 </p> </td> <td> <p> Compromised VS Code extension </p> </td> </tr> <tr> <td> <p> File </p> </td> <td> <p> .vscode/tasks.json (unexpected modifications) </p> </td> <td> <p> Supply chain persistence indicator </p> </td> </tr> <tr> <td> <p> File </p> </td> <td> <p> .claude/settings.json (unexpected modifications) </p> </td> <td> <p> AI assistant config persistence </p> </td> </tr> </tbody> </table> <p> Additional IOCs available via Anomali ThreatStream and partner feeds. </p> <h2> <strong> Bottom Line </strong> </h2> <p> The convergence of three supply chain compromises in 48 hours &mdash; each more sophisticated than the last &mdash; signals a fundamental shift in how adversaries approach state government networks. They are no longer attacking your perimeter. They are poisoning the tools your developers trust, forging the cryptographic signatures your procurement teams verify, and compromising the messaging platforms your executives rely on. </p> <p> The npm age-gating recommendation is the single highest-ROI defensive investment available today. It costs nothing to implement and would have prevented credential exfiltration from Mini Shai-Hulud. Do it before close of business. </p> <p> For the 30-day horizon: if your organization has no inventory of AI coding assistant deployments, you have a governance gap that is actively being exploited. Two independent campaigns now weaponize AI assistant configurations for persistence. This vector will only grow. </p> <p> The quiet period in ransomware targeting state and local government is not peace &mdash; it is preparation. Access brokers remain active. Credentials are being collected. The window to harden before the next wave is measured in weeks, not months. </p> <p> Act now. The adversary already has. </p> <p> Anomali CTI Desk | 2026-05-19 </p> <p> <em> For questions or additional context on any finding in this report, contact your Anomali intelligence team. </em> </p>