CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on May 27, 2026, confirming that they are actively exploited in real‑world attacks.
While these vulnerabilities affect different technologies, they share a common theme: compromise of trusted software distribution and development pipelines. Unlike traditional vulnerabilities targeting exposed services, these issues enable attackers to distribute malicious code through legitimate channels such as software installers, npm packages, and development tools.
The three vulnerabilities are:
These entries highlight an increasing focus on software supply chain attacks targeting both end‑users and developer environments.
Affected Components
CVE‑2026‑8398: Daemon Tools Lite
This vulnerability involved a supply chain attack that compromised the official installation packages of Daemon Tools Lite distributed through the vendor’s legitimate website. Attackers gained access to the vendor’s build or distribution infrastructure and embedded malicious code into digitally signed binaries.
Unlike traditional vulnerabilities that require exploitation of a running service, this issue represents a software supply-chain compromise in which malicious code was embedded within software distributed to end users. Because the software appeared legitimate, affected systems may have trusted and executed the installer without triggering conventional security controls.
CVE‑2026‑45321: TanStack
This vulnerability involved a supply-chain compromise within the TanStack npm ecosystem. Attackers leveraged legitimate GitHub Actions publishing workflows and trusted OIDC authentication to distribute malicious package versions under legitimate @tanstack/* package namespaces.
The malicious packages contained credential-stealing malware and could impact downstream applications or developer environments that installed affected dependencies through normal package management workflows.
Because the compromised packages were distributed through trusted npm channels and appeared legitimate, organizations using affected dependencies may have unknowingly introduced malicious code into development or production environments.
CVE‑2026‑48027: Nx Console
This vulnerability involved a supply-chain compromise of Nx Console, a developer extension used with Nx and Lerna workflows. A malicious version of the extension (18.95.0) was briefly published through official marketplaces, including Visual Studio Marketplace and OpenVSX.
The compromised extension contained embedded malicious code and could expose affected developer workstations to unauthorized code execution or credential theft. Because the extension was distributed through legitimate marketplaces and appeared authentic, developers may have unknowingly installed the malicious version through normal update or installation workflows.
Threat Activity
All three vulnerabilities have been added to the KEV catalog, indicating confirmed exploitation in the wild.
Unlike traditional exploitation of exposed services, these attacks leverage trusted update mechanisms, package registries, and development tooling to reach victims indirectly. This increases the likelihood of compromise even in otherwise well‑secured environments.
What This Means for Organizations
These vulnerabilities demonstrate a shift from direct exploitation to indirect compromise via trusted software sources. Organizations may be exposed if they:
Because the attack vector occurs upstream, infections can propagate across multiple systems before detection.
Recommended Mitigation Steps
1. Apply Vendor Updates Immediately
Ensure all affected software (Daemon Tools, TanStack dependencies, Nx Console) is updated to secure versions or removed if updates are not available.
2. Review Software Supply Chain Exposure
3. Monitor for Indicators of Compromise
4. Restrict Use of Untrusted Software Sources
Risk Summary
These vulnerabilities represent a high‑impact supply chain risk rather than a traditional network‑exposed vulnerability. Because they target trusted software delivery mechanisms, exploitation may bypass conventional perimeter defenses and impact both end‑users and development environments.
Organizations should treat these KEV entries as priority remediation items and assess whether any affected software or dependencies are present within their environment.