CISA KEV: Three Supply-Chain Attack CVEs Added — TanStack npm Worm, Nx Console Credential Stealer, DAEMON Tools Trojan

CISA added three supply-chain malware CVEs to the KEV catalog on May 27, all confirmed with active in-the-wild exploitation. CVE-2026-45321 (TanStack, CVSS 9.6): Malicious versions of @tanstack npm packages were published via TanStack's own CI pipeline through a chained Pwn Request + Actions cache poisoning + OIDC token extraction attack, producing 84 malicious versions across 42 packages and affecting OpenAI, Mistral AI, UiPath, and others. CVE-2026-48027 (Nx Console, CWE-506): Malicious version 18.95.0 of the Nx Console VS Code extension executed a hidden payload on workspace activation that harvested developer and cloud credentials and was used as an intermediate step in the breach of ~3,800 GitHub internal repositories. CVE-2026-8398 (DAEMON Tools Lite, CWE-506): Official installer distributed from the legitimate DAEMON Tools website for approximately one month contained embedded malicious code; federal due date June 3, 2026.

Supply chain: (1) TanStack — attacker abused GitHub Actions pull_request_target workflow with Actions cache poisoning and OIDC token extraction to publish malicious npm packages via TanStack's legitimate CI, targeting developer and CI/CD environments credential stores. (2) Nx Console — malicious VS Code extension auto-ran an obfuscated Bun payload on workspace activation, exfiltrating credentials and installing macOS persistence. (3) DAEMON Tools — trojanized installer distributed from the vendor's official download page during the infection window.

TanStack: all @tanstack/* npm package consumers during the ~6-minute window; downstream: OpenAI employee devices, Mistral AI, UiPath, Guardrails AI, OpenSearch. Nx Console: VS Code users with version 18.95.0; downstream: GitHub internal repository infrastructure. DAEMON Tools Lite: Windows users who installed from the official site during the April 2026 window.

For TanStack: audit all CI/CD environments for compromised @tanstack package versions and rotate any credentials (cloud keys, npm tokens, GitHub tokens, SSH keys) present in affected build environments. For Nx Console: remove version 18.95.0 immediately, scan for persistence mechanisms (macOS LaunchAgents), rotate developer and cloud credentials. For DAEMON Tools: identify and quarantine endpoints with affected installer versions, conduct credential audit on those machines. General: implement allowlists for VS Code extensions and npm packages, harden GitHub Actions workflows to prevent Pwn Request attacks (pin SHA, use environment protection rules).