🚨 CRITICAL ALERT: Active Zero-Day Exploits

Three CVSS 9.6–9.8 supply-chain and package ecosystem compromises have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation and urgent remediation requirements. Organizations using npm packages, DAEMON Tools Lite, or Nx Console should assume exposure until affected versions are removed and systems are verified clean.

Critical Vulnerabilities (CVSS >= 8.0)

• CVE-2026-45321 (CVSS: 9.6): On 2026-05-11, attackers published 84 malicious versions across 42 @tanstack/* npm packages through a legitimate GitHub Actions OIDC trusted-publisher path for TanStack/router, chaining a pull_request_target misconfiguration, GitHub Actions cache poisoning, and runtime extraction of the OIDC token to publish credential-stealing malware under a trusted identity. View NVD | CISA KEV
• CVE-2026-8398 (CVSS: 9.8): A supply-chain compromise affected official DAEMON Tools Lite Windows installers (12.5.0.2421 through 12.5.0.2434), where trojanized binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—were distributed from the legitimate vendor website and signed with the vendor’s valid code-signing certificate, making the malicious installers appear trustworthy. View NVD | CISA KEV
• CVE-2026-48027 (CVSS: 9.8): A malicious Nx Console version 18.95.0 was briefly published to Visual Studio Marketplace and OpenVSX on 2026-05-19; the compromised package was available for minutes before removal, and users should remediate by upgrading to version 18.100.0, which is not compromised. View NVD | CISA KEV

⚡ Immediate Actions Required

1. Audit software inventory immediately for affected @tanstack/* packages, DAEMON Tools Lite installers, and Nx Console installations, with special attention to versions installed or cached during the exposure windows.

2. Remove or quarantine any affected npm artifacts, reinstall from known-good versions, and rotate credentials if build pipelines, developer workstations, or package consumers may have executed malicious package code.

3. For DAEMON Tools Lite, uninstall impacted versions, verify the integrity of the installation source, and treat any execution of the trojanized binaries as a potential endpoint compromise.

4. Upgrade Nx Console to 18.100.0 or later, and invalidate any marketplace caches or extensions obtained during the malicious publication window.

5. Increase monitoring for unexpected credential theft, suspicious outbound connections, package-install activity, and abnormal build or developer-tool behavior; these incidents reflect an active, high-confidence supply-chain threat rather than isolated malware delivery.