What Happened
CISA added three developer-tool supply-chain attacks to its Known Exploited Vulnerabilities catalog on May 27, 2026, assigning formal CVE identifiers and setting a federal remediation deadline of June 10, 2026.
CVE-2026-8398 — DAEMON Tools Lite: Between April 8 and May 5, 2026, attackers with unauthorized access to Disc Soft’s (AVB Disc Soft) build or distribution infrastructure trojanized three binaries — DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe — distributed through the legitimate daemon-tools.cc website. Anyone who installed DAEMON Tools Lite from the official site during this window received a backdoored binary.
CVE-2026-45321 — TanStack npm packages: Attackers abused a GitHub Actions OIDC token theft vector — combining cache poisoning and a pull_request_target misconfiguration — to publish 84 malicious versions of 42 @tanstack packages. The @tanstack/react-router package alone receives approximately 12 million weekly downloads.
CVE-2026-48027 — Nx Console VS Code extension: A malicious version 18.95.0 of the Nx Console extension was published to Visual Studio Marketplace and OpenVSX on May 19, 2026, and remained available for up to 36 minutes before removal. Nx Console is a widely used Angular, React, and monorepo management tool.
Source: CISA / Security Affairs
Why This Matters for Canadian Organizations
Canadian development teams are heavy users of all three of these tools. DAEMON Tools Lite is widely installed on developer and power-user workstations in Canadian IT shops and government digital services. @tanstack packages sit inside the dependency chains of thousands of Canadian web applications — any build that ran npm install between mid-April and early May 2026 against these packages should be considered potentially compromised. Nx Console is a standard VS Code extension across Angular and React teams.
These three CVEs formalize what threat researchers have been tracking since April: a sustained campaign targeting the developer toolchain rather than application vulnerabilities. Once a trojanized build tool, package, or IDE extension runs on a developer workstation, it has access to environment variables, SSH keys, cloud credentials (AWS, GCP, Azure), GitHub tokens, and CI/CD pipeline secrets. Under Canada’s OSFI Guideline B-13, federally regulated financial institutions must maintain third-party software risk management processes. These supply-chain compromises are precisely the scenario B-13 is designed to address — external software running inside the institution’s development environment with implicit trust.
The Nx Console 36-minute exposure window underlines how quickly a malicious extension publish event can reach production machines before detection. Standard package pinning and hash verification do not protect against a compromised official publisher signing key or authenticated package upload.
What to Do
For DAEMON Tools Lite: if you installed from daemon-tools.cc between April 8 and May 5, 2026, treat the machine as compromised. Rotate all credentials accessible from that workstation — cloud provider keys, GitHub tokens, SSH keys, VPN credentials. Reinstall from a clean version 12.6.0.2445 or later and verify the binary hash against the vendor’s published values.
For TanStack: audit your package-lock.json and yarn.lock files for @tanstack packages published between April 10 and May 11, 2026. Use a software composition analysis tool to scan for the malicious artifact hashes CISA has published. Rotate any cloud or CI credentials accessible during the affected build pipeline runs.
For Nx Console: check VS Code extension version history. If version 18.95.0 was ever installed, rotate all credentials accessible from that machine. Update to the latest clean release.
Across all three: review your developer workstation endpoint detection logs for the relevant dates, look for anomalous outbound connections or credential export behaviour, and report confirmed compromises to the Canadian Centre for Cyber Security at cyber.gc.ca.
