A multi-pronged assault on critical infrastructure and software supply chains demands immediate defensive action today. Iranian-affiliated threat actors are actively exploiting internet-exposed industrial control systems, while new vulnerabilities in network hardware and a sophisticated attack on Azure DevOps repositories create a perfect storm for defenders.
Iranian APTs Actively Targeting US Industrial Control Systems
Iranian advanced persistent threat (APT) actors are conducting widespread exploitation of programmable logic controllers (PLCs) across U.S. critical infrastructure sectors. These attacks target internet-facing Rockwell Automation/Allen-Bradley systems, specifically exploiting services on ports 44818/TCP and 2222/TCP. The advisory indicates these actors are moving beyond reconnaissance to active exploitation, posing a direct threat to operational technology (OT) environments controlling physical processes. Immediate network segmentation is critical—block all internet access to these PLCs at the firewall and mandate VPN access with multi-factor authentication for any remote management. Organizations must update ControlLogix and CompactLogix firmware to the latest secure versions (32.XXX or later) and disable unused Common Industrial Protocol (CIP) services via RSLogix configuration.
Azure Repos Compromise Signals New Supply Chain Attack Vector
A significant software supply chain attack is underway, with threat actors compromising Azure DevOps Repos to inject malicious code. This attack, reminiscent of the Miasma campaign, focuses on injecting backdoors into pipeline YAML files and package.json/npm dependencies. When developers pull these poisoned repositories, the malicious code executes in their build pipelines, potentially compromising entire application delivery chains. This comes as GitHub announces npm v12 security changes designed to block similar supply-chain attacks triggered by npm install commands. Defenders must immediately audit Azure DevOps Repos for unauthorized commits, particularly examining pipeline configurations and dependency files. Enforce npm v12+ in CI/CD pipelines using .npmrc with engine-strict=true and implement Sigstore/cosign for package provenance verification.
Network Perimeter Vulnerabilities Expose Critical Assets
Multiple critical vulnerabilities in network infrastructure devices are creating easy entry points for attackers. TP-Link’s Omada switches contain a severe memory corruption flaw (CVE-2026-1668) in their web interface that could lead to remote code execution without authentication. Similarly, Voltronic Power SNMP Web Pro version 1.1 has an authentication bypass vulnerability (CVE-2026-22192) allowing attackers to manipulate browser localStorage to gain privileged access. Checkpoint VPN gateways are also under active exploitation with a zero-day vulnerability (referenced as CVE-2026-XXXX) affecting R81.20 and earlier versions. Network defenders must apply emergency hotfix CPHUB-XXXXX immediately, block external access to Omada switch web interfaces via ACLs, and isolate Voltronic Power devices behind reverse proxies with mandatory authentication.
Ransomware and Targeted Data Theft Campaigns Accelerate
The ransomware group ‘The Gentlemen’ has rapidly ascended to become the second most active ransomware operation by victim count, using an aggressive affiliate model that offers 90% payout shares. Meanwhile, the ShinyHunters extortion gang is specifically targeting Oracle PeopleSoft servers in data theft attacks, claiming breaches at over 100 organizations. These parallel campaigns highlight the dual threats of encryption-based extortion and pure data exfiltration. Organizations should deploy behavioral detection for ransomware via Windows Event ID 4688 monitoring and enable strict application control (AppLocker/WDAC) to block execution from user writable directories. For PeopleSoft environments, apply the latest CPU patches (July 2026) and enable Activity Guide monitoring for abnormal data export patterns.
Engineering Software Vulnerabilities Require Specialized Defenses
Digilent DASYLab, software used in engineering and scientific data acquisition, contains three memory corruption vulnerabilities (CVE-2026-0955, CVE-2026-0956, CVE-2026-0957) that could lead to arbitrary code execution when users open malicious .DSY files. These vulnerabilities are particularly concerning as they target specialized software often running in critical research, manufacturing, or infrastructure environments. Defenders should implement file type filtering at email and network perimeters to block .DSY files and ensure DASYLab only runs on isolated engineering workstations with restricted network access. Monitor for vendor advisory DSA-2026-XXX and apply patches immediately upon release.
First, immediately block internet access to Rockwell Automation PLC ports (44818, 2222) and audit Azure DevOps Repos for signs of the Miasma-like compromise in pipeline files. Second, apply the emergency hotfix for Checkpoint VPN gateways and update Omada switches to patch CVE-2026-1668. Third, implement Windows Event ID 4688 monitoring for ransomware detection and enforce npm v12+ in all CI/CD pipelines to mitigate supply chain attacks.