When the update itself becomes an entry point
6 Min. read time
On May 11, six minutes were all it took. In that window, attackers slipped 84 tampered versions into 42 widely used developer packages-each carrying a credential-stealing payload. Anyone using these packages unknowingly downloaded the malware with their next update. Three such cases landed in the U.S. agency CISA’s warning catalog in May alone.
Key Takeaways
- Trusted tools became attack vectors. TanStack, Daemon Tools, and Nx Console distributed malicious code via routine updates in May. CISA flagged all three as actively exploited.
- Even non-developers are at risk. Nearly every business application is built on third-party components. The threat enters through the supply chain-not your front door.
- NIS2 turns supply chain security into an executive priority. Companies covered by the directive must integrate supplier and software-component security into risk management. An inventory is the first-and cheapest-step.
Related:NIS2 Implementation: Checklist for SMEs / RegTech: Mastering Compliance Risks
How Familiar Tools Became a Gateway for Attacks
What is a supply chain attack? In a supply chain attack, perpetrators don’t target the company directly-instead, they manipulate a piece of software or a tool that the company trusts. The malicious code slips in unnoticed via the next routine update, infiltrating countless systems at once. A single compromised update channel can reach thousands of businesses in one go.
The three incidents in May illustrate this pattern in its purest form. At TanStack, a widely used collection of web development components, attackers hijacked the automated GitHub publishing workflow and released dozens of poisoned versions within minutes. For Daemon Tools Lite, the official installers were tampered with for weeks, disguised with a valid code-signing certificate. And with Nx Console, a plugin for development environments, a malicious version briefly appeared in the official marketplace.
The insidious part is the disguise. Each of these vectors looked like business as usual: a signed installer, a marketplace listing, a version update. Anyone who’s ever managed a software environment knows these updates typically sail through without a second glance. Here’s the sobering timeline:
Why This Affects Mid-Sized Companies That Don’t Develop Software Themselves
The most common knee-jerk reaction among mid-sized businesses is: “We don’t write code, so this doesn’t concern us.” That assumption is misleading. Inventory management, customer portals, accounting integrations-nearly every modern business software is pieced together from third-party components. If you had a web application built by an agency, chances are your systems already contain packages from the same ecosystem that spawned the compromised TanStack versions.
The attack infiltrates your company through suppliers and their software, often long before anyone considers a direct breach. This supply chain is rarely documented in mid-sized firms. No one keeps a list of which third-party software runs in which system. Attackers exploit this blind spot, as a tainted library can remain invisible until someone actively hunts for it.
Regulatory pressure adds another layer. The NIS2 Directive now subjects a large portion of mid-sized businesses to mandatory cybersecurity obligations-and explicitly targets the supply chain. Companies must account for the security of their software components and service providers, not just their own firewalls. An incident like the TanStack breach is no longer just an IT headache; it’s a question of due diligence, with executive leadership ultimately held accountable.
What Mid-Sized Companies Can Do Now
The good news: You don’t need a corporate-level security team to reduce your core risk. Four steps-feasible even for businesses with tight resources-cover the bulk of what matters.
None of these steps are expensive, and none require specialized knowledge. The real effort lies in taking a close look where no one was previously responsible. That’s the difference between a company that detects a supply chain attack and one that only learns about it from the news.
The May wave is unlikely to be the last. Attacks on the software supply chain are cheap, scale to thousands of victims at once, and hit both prepared and unprepared businesses. The difference only emerges afterward-when the question becomes whether anyone knows their own inventory.
Frequently Asked Questions
What happened in the attacks on TanStack, Daemon Tools, and Nx Console?
In all three cases, attackers injected malicious code through legitimate distribution channels: hijacked release workflows at TanStack, tampered signed installers for Daemon Tools, and a malicious extension on the official marketplace for Nx Console. CISA listed all three as actively exploited vulnerabilities at the end of May.
Does this affect SMEs that don’t develop software in-house?
Yes. Nearly every business application contains third-party components, and purchased or agency-built software uses the same packages that were compromised here. The risk enters through the supply chain, regardless of whether your company does its own development.
What does NIS2 have to do with software supply chains?
NIS2 explicitly requires affected companies to include the security of their supply chain and direct service providers in their risk management. This means knowing the software components you use and being able to assess their origin. Violations can hold management liable, so the issue doesn’t stop at the IT department.
How can I tell if my company is affected?
The first step is creating an inventory of the software and libraries you use. This lets you check whether affected versions are in use. If you work with an external agency, ask them specifically about the packages they use and the installed versions.
How much does securing the supply chain cost an SME without a large security team?
The most effective steps are affordable: a software inventory, a disciplined approach to updates, and hardened access with mandatory two-factor authentication. The real cost isn’t the measures-it’s the incident nobody noticed.
Editor’s Picks
- Cybersecurity Boom: How NIS2 is Driving Germany’s Security Sector
- Stanford AI Index 2026: What SMEs Must Rethink About Risk Measurement
- Cloud vs. On-Prem: The Bottom Line
More from the MBF Media Network
Image source: Cover and article images AI-generated (May 2026), C2PA certificate embedded in images

