CISA Adds Three Supply Chain Attacks to KEV — Federal Deadline June 10

CISA added three supply chain compromises to its Known Exploited Vulnerabilities catalog on May 27, setting a June 10 remediation deadline for federal agencies. The attacks hit Daemon Tools Lite, 42 TanStack npm packages, and the Nx Console VS Code extension—collectively affecting millions of developers and end users.

All three share a common pattern: attackers compromised legitimate distribution channels to deliver malware through software users had every reason to trust.

Daemon Tools Lite: Signed Malware From the Vendor

CVE-2026-8398 represents one of the more alarming supply chain attacks we've seen this year. Attackers breached AVB Disc Soft's build or distribution infrastructure and trojanized official Daemon Tools Lite installers distributed from the vendor's website between April 8 and May 5, 2026.

Three binaries were backdoored: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The malicious files carried legitimate AVB Disc Soft code-signing certificates, allowing them to bypass signature-based detection entirely.

The affected versions span 12.5.0.2421 through 12.5.0.2434, all downloaded from the official daemon-tools.cc domain. Version 12.6 and newer are clean.

This is exactly the scenario that makes supply chain attacks so effective. Users downloading software from the official source, signed by the official certificate, had no reasonable way to detect the compromise. CISA assigned a CVSS score of 9.3.

TanStack: 84 Malicious npm Versions

CVE-2026-45321 (CVSS 9.5) affected 42 popular @tanstack npm packages—including TanStack Query, TanStack Router, and TanStack Table, which collectively see millions of weekly downloads.

Attackers exploited a GitHub Actions misconfiguration to publish 84 malicious package versions. The technique combined cache poisoning with OIDC token theft, allowing attackers to authenticate to npm as legitimate maintainers.

The malicious versions contained credential-stealing malware targeting developer secrets, environment variables, and authentication tokens. Given that TanStack packages are foundational to many React applications, the blast radius extends well beyond developers themselves—any secrets present in CI/CD environments or development machines were at risk.

This continues a troubling trend. Earlier this month, we covered Shai-Hulud copycats flooding npm with infostealer-laden packages. The TanStack attack demonstrates that even well-maintained, popular packages can be weaponized.

Nx Console: 36 Minutes of Exposure

CVE-2026-48027 (CVSS 9.3) compromised the Nx Console extension for Visual Studio Code. Version 18.95.0 was uploaded to both the Visual Studio Marketplace and OpenVSX containing embedded malicious code.

The compromised version remained available for approximately 36 minutes on May 19, 2026, before the maintainers identified and removed it. Version 18.100.0 is confirmed clean.

While the exposure window was short, VS Code extensions often auto-update, and developers who happened to install or update during that window may have been compromised. We previously reported on the Nx Console incident when it first emerged, noting that the attackers targeted credential storage.

Common Thread: Distribution Infrastructure

All three attacks share a pattern: rather than tricking users into downloading from malicious sources, attackers compromised the legitimate distribution channels themselves.

• Daemon Tools: Vendor build/distribution systems
• TanStack: GitHub Actions CI/CD pipeline
• Nx Console: Extension marketplace publish credentials

This makes detection significantly harder. Traditional security advice—"only download from official sources"—fails when official sources are compromised.

Remediation Steps

For federal agencies, CISA mandates remediation by June 10, 2026, under Binding Operational Directive 22-01.

Daemon Tools Lite:

1. Check installed version — affected range is 12.5.0.2421 through 12.5.0.2434
2. If affected, uninstall completely and run AV/EDR scans
3. Reinstall version 12.6 or newer if needed

TanStack packages:

1. Audit package-lock.json for compromised versions (check TanStack's security advisory for specific versions)
2. Rotate any secrets that may have been exposed in development or CI environments
3. Update to current patched versions

Nx Console:

1. Check if you installed or updated on May 19, 2026
2. If potentially affected, rotate developer credentials and review for unauthorized access
3. Update to version 18.100.0 or newer

Why This Matters

Supply chain attacks are becoming the default approach for sophisticated threat actors. Why spend effort tricking individual users when you can compromise the pipeline and reach thousands or millions at once?

CISA's decision to add these to the KEV catalog signals growing federal recognition that supply chain integrity is a national security issue—not just an inconvenience for developers.

For organizations outside federal mandates, treat the June 10 deadline as a reasonable benchmark. If you're running any of these affected components, assume compromise and respond accordingly.

---

Advisory details from CISA and Security Affairs.