Two supply chain poisonings, a cPanel root escalation, and a 9.3 XWiki RCE
Nx Console and TanStack were both hijacked briefly on public registries. Any cPanel user can escalate to root via LiteSpeed plugin. XWiki's REST API lets unauthenticated attackers import executable packages (CVSS 9.3). Four of today's five are exploited in the wild.
Rough day for supply chains. Poisoned versions of Nx Console (VS Code extension) and several TanStack npm packages were briefly published under trusted identities, both already exploited in the wild. On top of that, any regular cPanel user can escalate to root if you're running the LiteSpeed plugin. Five entries total, four already exploited. Let's get into it.
Today's CVEs
Sorted by urgencyCVE-2026-48027
NVDA malicious version (18.95.0) of the Nx Console VS Code extension was published to the Visual Studio Marketplace and OpenVSX on May 19, 2026. It was live for roughly 18 minutes on Marketplace and 36 minutes on OpenVSX before being pulled. If your VS Code auto-updated extensions during that window, you may have installed a compromised build. This is a supply chain attack: the poisoned extension shipped as a trusted package.
- Included because
- supply chain compromise; exploited in the wild; CVSS 9.8; widely used developer tooling
- Affected estate
- Any machine running VS Code or VSCodium with the Nx Console extension, specifically version 18.95.0.
- How to check
- Run `code --list-extensions --show-versions | grep nrwl.angular-console` or check the Extensions sidebar in VS Code. Look for version 18.95.0.
- Action
- Uninstall version 18.95.0 and install version 18.100.0. Rotate secrets and tokens accessible from affected dev environments.
- Urgency
- Patch immediately
- Why it matters
- The compromised extension ran under your user context with full access to your workspace, credentials, and local files.
- Source
- Nx advisory / Visual Studio Marketplace
Evidence trail
- NVD: View source
CVE-2026-48172
CISA KEVAny cPanel user account on a server running the LiteSpeed cPanel Plugin can escalate to root. This isn't an admin-only bug: any shared hosting customer with a regular cPanel login can run arbitrary scripts as root. Attackers are already exploiting this in the wild.
- Included because
- privilege escalation to root; exploited in the wild; no special access needed beyond a basic cPanel account; EPSS 92nd percentile
- Affected estate
- Servers running cPanel/WHM with the LiteSpeed cPanel Plugin installed.
- How to check
- In WHM, check the LiteSpeed plugin version under Plugins. On the CLI: `cat /usr/local/lsws/conf/httpd_config.xml` or check the plugin version in `/usr/local/cpanel/whostmgr/docroot/cgi/lsws/`.
- Action
- Update the LiteSpeed cPanel Plugin to the latest version via WHM. Review system logs and crontabs for unauthorized root-level commands.
- Urgency
- Patch immediately
- Why it matters
- Any cPanel user, including shared hosting customers, can get full root access to your server.
- Source
- LiteSpeed advisory / CISA KEV
Evidence trail
- NVD: View source
CVE-2026-45321
CISA KEVMalicious versions of TanStack packages were published to npm under the project's trusted identity. These poisoned packages contained credential-stealing malware. If your build pulled a compromised version, your secrets may already be exfiltrated.
- Included because
- supply chain compromise; credential-stealing malware; exploited in the wild; widely used JavaScript library ecosystem
- Affected estate
- Any project with TanStack packages in its npm dependency tree. Check package-lock.json or yarn.lock for recently updated TanStack versions.
- How to check
- Run `npm ls | grep tanstack` or search your lockfile for TanStack package versions. Compare against the list of compromised versions in the TanStack advisory.
- Action
- Remove compromised TanStack versions, pin to known-good releases, clear your npm cache, and rotate any credentials that were present in the build environment.
- Urgency
- Patch immediately
- Why it matters
- The malicious packages steal credentials from your build and dev environments, giving attackers access to your infrastructure.
- Source
- TanStack advisory / npm security
Evidence trail
- NVD: View source
CVE-2026-8398
CISA KEVDaemon Tools Lite has a vulnerability with high impact on confidentiality, integrity, and availability. Details are thin, but it's tagged as exploited in the wild. Because Daemon Tools installs kernel-level drivers for virtual disk mounting, a bug here could give an attacker deep system access.
- Included because
- exploited in the wild; high impact on confidentiality, integrity, and availability; kernel-level driver software
- Affected estate
- Windows endpoints with Daemon Tools Lite installed.
- How to check
- Check installed programs in Settings > Apps or query your software inventory/endpoint management tool for Daemon Tools Lite.
- Action
- Update to the latest patched version of Daemon Tools Lite, or uninstall it if it's not needed.
- Urgency
- Patch within 24 hours
- Why it matters
- Daemon Tools installs kernel drivers. A vulnerability here can give attackers elevated access to the entire system.
- Source
- Vendor advisory
Evidence trail
- NVD: View source
CVE-2026-33137
GitHubAn unauthenticated attacker can import XAR packages into XWiki through the REST API endpoint `/wikis/{wikiName}`. No login required. XAR imports can contain executable scripts, so this is effectively unauthenticated remote code execution on your wiki. CVSS 9.3, though no confirmed exploitation in the wild yet.
- Included because
- unauthenticated; internet-facing; CVSS 9.3; effectively RCE via XAR import
- Affected estate
- XWiki Platform instances with the xwiki-platform-rest-server component. Check your Maven dependencies or XWiki installation.
- How to check
- Look for `xwiki-platform-rest-server` in your pom.xml or installed extensions list. Try an unauthenticated GET to `/rest/wikis/` to confirm the REST API is exposed.
- Action
- Upgrade xwiki-platform-rest-server to the patched version. As a stopgap, restrict or block unauthenticated access to `/rest/wikis/` at the reverse proxy layer.
- Urgency
- Patch within 24 hours
- Why it matters
- Unauthenticated attackers can import executable content into your wiki, leading to full server compromise.
- Source
- XWiki security advisory / NVD
Evidence trail
- NVD: View source
One email, every weekday morning.
SubscribeRelated analysis
From this beat
Read the rest of the field notes →