APT28 Exploits Microsoft Zero-Day as NPM Worm Hits CI/CD

◆ DEEP DIVES

1. 01

   APT28 Zero-Day, Roundcube KEV Entries, and the 29-Minute Breakout Reality

   <h3>The Convergence That Demands Immediate Action</h3><p>Three vulnerability clusters hit simultaneously this cycle, and your patch queue just became a triage exercise against active nation-state exploitation. The most critical: <strong>APT28 (GRU/Fancy Bear) is actively exploiting CVE-2026-21513</strong>, a Microsoft browser zero-day that chains specially crafted <strong>.lnk files with embedded HTML</strong> to bypass both Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration. The exploit achieves code execution outside the browser sandbox. Microsoft patched this in the February 2026 cycle, but Akamai researchers confirmed exploitation both before and after patch release.</p><p>The delivery vector — .lnk files — means <strong>email attachments, USB drives, and file shares</strong> are all viable initial access paths. This maps directly to environments where users handle external files, making it particularly dangerous for organizations with partner ecosystems or customer-facing document workflows.</p><hr><h4>Parallel Urgency: Roundcube and SolarWinds</h4><p>CISA added two actively exploited Roundcube Webmail vulnerabilities to the KEV catalog: <strong>CVE-2025-49113</strong> (deserialization → RCE, critical) and <strong>CVE-2025-68461</strong> (XSS, high). Roundcube has been the default webmail for cPanel since ~2008, with <strong>46,000+ internet-facing instances</strong> on Shodan and <strong>10+ prior KEV entries</strong>. The CISA deadline is March 13, 2026. Secure versions are <strong>1.5.13 and 1.6.13</strong>.</p><p>Separately, <strong>SolarWinds patched four critical vulnerabilities simultaneously</strong> — a volume that suggests high-severity exploitation potential. Given SolarWinds' history as a supply chain attack vector, threat actors will be reverse-engineering these patches within hours.</p><h4>The Breakout Time Crisis</h4><p>CrowdStrike's latest data provides the operational context: <strong>average breakout time is now 29 minutes</strong>, down from 98 minutes in 2021. The fastest observed breakout was <strong>27 seconds</strong>. This 70% compression over four years means that if your SOC relies on manual triage and escalation, you are <em>mathematically unable to contain most intrusions before lateral movement completes</em>.</p><blockquote>When APT28 is exploiting browser zero-days and attackers break out in 29 minutes, the question isn't whether your defenses are good enough — it's whether they're fast enough.</blockquote><h4>VulnCheck's 2025 Exploitation Data</h4><p>Cross-referencing with VulnCheck's annual analysis: of <strong>40,000+ CVEs published in 2025, only ~1% were exploited in the wild</strong> — but attackers disproportionately targeted <strong>network edge devices</strong> and 'repeat offender' vendors. Four SharePoint zero-days alone hit <strong>400+ organizations</strong>. The data proves that CVSS-driven patching misallocates resources — exploitation-evidence-first prioritization is essential.</p>

   Action items

   • Verify deployment of February 2026 Microsoft patches across 100% of endpoints, specifically CVE-2026-21513. Enable ASR rules blocking .lnk execution from untrusted sources.
   • Patch Roundcube Webmail to 1.5.13 or 1.6.13 within 48 hours. If running cPanel, check every hosting environment.
   • Patch SolarWinds within 24-48 hours across all deployments.
   • Benchmark your SOC's MTTD and MTTR against the 29-minute breakout threshold. If either exceeds 29 minutes, deploy automated containment (EDR auto-isolation, micro-segmentation) this sprint.
   • Shift vulnerability management prioritization from CVSS-first to exploitation-evidence-first by integrating CISA KEV and VulnCheck KEV feeds as primary patch signals.

   Sources:Risky Bulletin: Russia starts criminal probe of Telegram founder Pavel Durov · SANS NewsBites Vol. 28 Num. 14 · Google Disrupts Chinese Hackers | Anthropic Tool Sends Cybersecurity Shares Plunging · Is the 'Shields Up' era of CISA over?

2. 02

   NPM Supply Chain Worm, Cline CLI Compromise, and RoguePilot — Your Developer Pipeline Is the New Perimeter

   <h3>Three Distinct Attacks, One Target: Your Software Factory</h3><p>Your CI/CD pipeline took fire from three directions this cycle, and the convergence is worse than any individual attack. A <strong>self-propagating NPM worm</strong> is actively harvesting secrets from CI environments, weaponizing build systems to spread across projects, and carrying a <strong>dormant wipe mechanism</strong> that can be triggered remotely. Separately, the <strong>Cline CLI AI coding assistant</strong> (5M+ installs) was compromised for eight hours on February 17, silently installing the malicious OpenClaw agent. And researchers demonstrated <strong>RoguePilot</strong>, a prompt injection attack that hijacks GitHub Copilot through crafted issue content to exfiltrate GITHUB_TOKENs.</p><h4>The NPM Worm: Espionage + Destruction in One Package</h4><p>This isn't a single malicious package — it's a worm with three operational phases:</p><ul><li><strong>Harvest:</strong> Extracts API keys, cloud credentials, signing keys, and tokens from CI environments</li><li><strong>Weaponize & Spread:</strong> Uses compromised CI systems to propagate to other projects, including packages consumed by AI coding assistants</li><li><strong>Dormant Destruction:</strong> Carries a remotely-activatable wipe payload — pre-positioned sabotage</li></ul><p>The targeting of <strong>AI coding tools</strong> is the critical evolution. If an AI assistant consumes a compromised package and suggests code patterns derived from it, the malicious payload propagates through developer trust in AI suggestions — a <em>human-in-the-loop amplification vector</em> that traditional SCA tools won't catch.</p><h4>Cline CLI: Anatomy of an AI Tool Supply Chain Attack</h4><p>The Cline compromise timeline reveals systemic failures in AI tool security:</p><ol><li>December 2025: Researcher Adnan Khan discovers prompt injection flaw in Cline's AI-automated issue triage</li><li>January 2026: Khan warns production publish tokens are at risk — <em>no response for over a month</em></li><li>February 9: Public disclosure; Cline patches within one hour</li><li>February 10: Anonymous source confirms possession of valid npm and OpenVSX credentials</li><li>February 11: Cline rotates credentials but <strong>misses an exposed npm token</strong></li><li>February 17: Missed token used to publish compromised Cline CLI 2.3.0 with OpenClaw — <strong>live for 8 hours</strong></li></ol><p>Cline now uses OIDC provenance via GitHub Actions for npm publishing — a remediation that should have been in place before the incident.</p><h4>RoguePilot: Copilot as Attack Vector</h4><p>Hidden prompt injections in GitHub issues can silently hijack Copilot, causing it to exfiltrate privileged GITHUB_TOKENs. This bypasses every traditional code review control because the malicious payload lives in <strong>issue text</strong> — content developers don't scrutinize for executable intent. Any organization using Codespaces with Copilot enabled on repositories accepting external issues is exposed.</p><blockquote>A self-propagating NPM worm with a dormant wipe payload is targeting the exact CI/CD pipelines and AI coding tools your developers trust most — if you haven't audited your dependency tree this week, assume you're already behind the attacker.</blockquote>

   Action items

   • Run npm audit across all repositories today. Check lockfile integrity, review packages added in the last 90 days, and rotate all CI/CD secrets (API keys, deploy tokens, cloud credentials) immediately.
   • Scan developer environments for Cline CLI version 2.3.0 and any OpenClaw installations. Treat any positive finding as a confirmed compromise — isolate, image, and investigate.
   • Restrict GITHUB_TOKEN permissions to minimum required scopes and disable Copilot's ability to read issue content on repositories accepting external contributions.
   • Implement npm package provenance verification (OIDC via GitHub Actions) and deploy a package proxy (Aikido Safe Chain or equivalent) with 24-hour suppression of newly published packages in CI/CD.
   • Sandbox AI coding assistants from production CI secrets and require human approval for all AI-suggested dependency additions.

   Sources:Boards don't need cyber metrics — they need risk signals · Boards don't need cyber metrics — they need risk signals · The rise of the evasive adversary · Google Disrupts Chinese Hackers | Anthropic Tool Sends Cybersecurity Shares Plunging · Vulnerable DJI Vacuums, Distillation Attack Detection, Dependabot Alternative

3. 03

   CISA's Workforce Collapse and the Insider Exploit Pipeline to Russia

   <h3>Your Federal Safety Net Has Holes — And the Exploit Supply Chain Just Got Sanctioned</h3><p>Two developments this cycle fundamentally change your assumptions about federal cyber coordination and the offensive exploit market. <strong>CISA has lost approximately one-third of its workforce</strong>, shut down entire divisions, and operates under an unconfirmed acting director whose leadership has reportedly eroded trust with industry partners. Simultaneously, the <strong>U.S. Treasury sanctioned Operation Zero</strong>, a Russian exploit marketplace, its CEO Sergey Zelenyuk, and associates — including two Trickbot members running exploit brokerages in the UAE and Uzbekistan.</p><h4>CISA Capability Degradation: Operational Impact</h4><p>This isn't about politics — it's about <strong>operational capability</strong>. CISA nominee Sean Plankey remains unconfirmed by Congress. The practical impact across core missions:</p><ul><li><strong>Advisory publication:</strong> Slower turnaround on vulnerability advisories and threat alerts</li><li><strong>JCDC coordination:</strong> Reduced capacity for joint cyber defense coordination with industry</li><li><strong>State and local support:</strong> Degraded assistance to state/local governments and election infrastructure</li><li><strong>KEV catalog:</strong> The catalog remains operational but the analytical capacity behind it is diminished</li></ul><p><em>Some observers believe CISA can rebound if confirmed leadership arrives and staffing is rebuilt, but that timeline is uncertain.</em> Organizations that have relied on CISA as a primary coordination point need backup plans now.</p><h4>The Exploit Supply Chain: From Insider Theft to Russian Broker to Sanctions</h4><p>Peter Williams, a former executive at <strong>L3Harris's Trenchant unit</strong> — a company developing offensive cyber tools for the U.S. government — stole and sold at least <strong>eight zero-day exploits</strong> to Operation Zero for approximately <strong>$1.3 million in cryptocurrency</strong>. The Justice Department estimated <strong>$35 million in losses</strong> to U.S. government offensive programs. Williams received 87 months in prison.</p><p>The sanctions reveal a deeply intertwined ecosystem: Operation Zero acquired exploits stolen from a U.S. defense contractor, and two sanctioned individuals are also <strong>Trickbot malware group members</strong> running exploit brokerages. This confirms that cybercrime infrastructure directly feeds nation-state offensive operations. Sanctions may temporarily disrupt Russia's exploit supply chain, but the network is resilient.</p><blockquote>The federal cyber safety net is fraying — CISA lost a third of its people, and the exploit broker that bought stolen U.S. government zero-days just got sanctioned. If your defense strategy depends on anyone but you, it's time to fix that.</blockquote>

   Action items

   • Audit your organization's dependencies on CISA services — JCDC membership, advisory consumption, KEV catalog integration, incident coordination contacts — and document alternatives using ISACs, private threat intel providers, and peer networks by end of March.
   • Conduct a focused inventory and hardening review of all network edge devices — firewalls, VPN appliances, load balancers, remote access gateways — by end of March.
   • Review insider threat controls for staff with access to vulnerability research, exploit code, or offensive security tools. Ensure DLP, access logging, and behavioral analytics cover these high-value assets.
   • If using SonicWall cloud management or config backup services, rotate all firewall admin credentials, VPN pre-shared keys, and review firewall rules for unauthorized modifications immediately.

   Sources:Is the 'Shields Up' era of CISA over? · Risky Bulletin: Russia starts criminal probe of Telegram founder Pavel Durov

4. 04

   Pentagon-Anthropic Standoff: AI Vendor Risk Enters Uncharted Territory

   <h3>The Defense Production Act Just Entered Your Vendor Risk Framework</h3><p>Defense Secretary Pete Hegseth gave Anthropic until <strong>Friday, February 28</strong> to agree to let the Pentagon use Claude for "any lawful use" — including capabilities Anthropic has restricted around mass surveillance and autonomous weapons — or face three escalation paths: contract cancellation, <strong>supply chain risk designation</strong>, or invocation of the <strong>Defense Production Act</strong>. Anthropic CEO Dario Amodei has reiterated the company's refusal to remove ethical guardrails.</p><p>This creates a genuinely novel category of third-party risk that eight separate intelligence sources flagged this cycle. The implications cascade differently depending on the outcome:</p><table><thead><tr><th>Scenario</th><th>Impact on Your Org</th><th>Probability</th></tr></thead><tbody><tr><td><strong>Anthropic complies</strong></td><td>Safety posture changes; risk assessment invalidated; data may face broader government access terms</td><td>Possible</td></tr><tr><td><strong>Supply chain risk designation</strong></td><td>Every Pentagon vendor/contractor must certify non-use of Anthropic models — compliance contagion</td><td>Possible</td></tr><tr><td><strong>DPA invocation</strong></td><td>Unprecedented — government can compel any AI vendor; your DPA clauses are untested</td><td>Unlikely</td></tr></tbody></table><h4>Converging Signals: Safety Erosion and Enterprise Expansion</h4><p>The Pentagon standoff doesn't exist in isolation. Anthropic simultaneously announced it will <strong>no longer pause development of potentially dangerous models</strong> if a competitor releases comparable capabilities — abandoning a founding safety commitment. And Claude Cowork launched enterprise integrations with <strong>Google Drive, Gmail, DocuSign, FactSet, Slack, Intuit, and LegalZoom</strong> — each creating new OAuth-mediated data flow paths.</p><p>The contradiction is stark: Anthropic is <em>expanding its access to your enterprise data</em> while <em>weakening its safety commitments</em> and facing <em>government coercion to remove remaining guardrails</em>. This is the moment where AI vendor risk assessment based on vendor promises alone becomes insufficient.</p><h4>Industrial-Scale Model Distillation: The IP Theft Dimension</h4><p>Anthropic disclosed that <strong>DeepSeek, Moonshot, and MiniMax</strong> ran coordinated campaigns using approximately <strong>24,000 fake accounts</strong> generating over <strong>16 million interactions</strong> to systematically extract Claude's capabilities. Each lab targeted different domains: DeepSeek focused on reasoning, Moonshot on coding and agent behavior, MiniMax on tool use with near-real-time adaptation to model updates. The proxy infrastructure replaced blocked accounts faster than detection could respond.</p><p>For any organization exposing AI models or high-value APIs, this is your threat model: <strong>distributed extraction through mass fake accounts that defeat per-account rate limiting</strong>. You need cross-account behavioral correlation to catch it.</p><blockquote>The Pentagon's ultimatum to Anthropic isn't just a policy story — it's the moment third-party AI risk became ungovernable by vendor promises alone, and every CISO needs to treat AI vendor safety commitments as assumptions that can be revoked by government fiat.</blockquote>

   Action items

   • Inventory all Anthropic/Claude usage — direct API calls, AWS Bedrock integrations, embedded in SaaS products (Intuit, Slack, etc.), and through vendors with DoD ties — by Friday February 28.
   • Audit all OAuth grants created by Claude Cowork integrations across Google Workspace, DocuSign, Slack, and FactSet environments. Revoke unauthorized grants and enforce least-privilege scopes.
   • Update your third-party risk framework to include a 'government coercion' risk category for AI vendors. Brief legal on DPA implications for all AI vendor contracts.
   • If you expose AI models or high-value APIs externally, implement cross-account behavioral anomaly detection that clusters query patterns across accounts — not just per-account rate limiting.

   Sources:Pentagon Gives Anthropic Friday Deadline to Agree to Terms or Terminate Contract · Anthropic Refuses to Bow to Pentagon Pressure · Anthropic says it was copied and brought receipts · Claude Cowork updates, KiloClaw agents · Consulting giants join OpenAI to deploy autonomous agent platform · AI Agenda: Why OpenAI's Cerebras Chip Deal Matters