Pierluigi Paganini
May 28, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
The first flaw, tracked as CVE-2026-8398, is a supply chain attack that compromised official DAEMON Tools Lite installers distributed from the vendor’s website between April and May 2026. Attackers trojanized three signed binaries after breaching AVB Disc Soft’s build or distribution systems. Because the malicious files carried legitimate code-signing certificates, the installers appeared trustworthy and could evade many security checks.
The second flaw, tracked as CVE-2026-45321, is a supply chain attack that hit 42 @tanstack npm packages after attackers abused GitHub Actions and the trusted-publisher workflow. Using cache poisoning, a pull_request_target misconfiguration, and OIDC token theft from the runner’s memory, they published 84 malicious package versions containing credential-stealing malware under TanStack’s legitimate identity.
The third issue, tracked as CVE-2026-48027, involves a malicious version of the Nx Console extension, version 18.95.0, briefly published to Visual Studio Marketplace and OpenVSX on May 19, 2026. The compromised release remained available for up to 36 minutes before removal. Nx Console 18.100.0 is clean, and users should upgrade immediately to remediate the issue.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by June 10, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
