Laptop mit unscharfem Code auf dem Bildschirm, Hand am Touchpad, Kaffee und Unterlagen am Schreibtisch
08.06.2026

When the update itself becomes an entry point

6 Min. read time

On May 11, six minutes were all it took. In that window, attackers slipped 84 tampered versions into 42 widely used developer packages-each carrying a credential-stealing payload. Anyone using these packages unknowingly downloaded the malware with their next update. Three such cases landed in the U.S. agency CISA’s warning catalog in May alone.

Key Takeaways

  • Trusted tools became attack vectors. TanStack, Daemon Tools, and Nx Console distributed malicious code via routine updates in May. CISA flagged all three as actively exploited.
  • Even non-developers are at risk. Nearly every business application is built on third-party components. The threat enters through the supply chain-not your front door.
  • NIS2 turns supply chain security into an executive priority. Companies covered by the directive must integrate supplier and software-component security into risk management. An inventory is the first-and cheapest-step.

Related:NIS2 Implementation: Checklist for SMEs  /  RegTech: Mastering Compliance Risks

How Familiar Tools Became a Gateway for Attacks

What is a supply chain attack? In a supply chain attack, perpetrators don’t target the company directly-instead, they manipulate a piece of software or a tool that the company trusts. The malicious code slips in unnoticed via the next routine update, infiltrating countless systems at once. A single compromised update channel can reach thousands of businesses in one go.

The three incidents in May illustrate this pattern in its purest form. At TanStack, a widely used collection of web development components, attackers hijacked the automated GitHub publishing workflow and released dozens of poisoned versions within minutes. For Daemon Tools Lite, the official installers were tampered with for weeks, disguised with a valid code-signing certificate. And with Nx Console, a plugin for development environments, a malicious version briefly appeared in the official marketplace.

The insidious part is the disguise. Each of these vectors looked like business as usual: a signed installer, a marketplace listing, a version update. Anyone who’s ever managed a software environment knows these updates typically sail through without a second glance. Here’s the sobering timeline:

The Supply Chain Surge in May
May 11
TanStack: 84 tampered versions across 42 npm packages, published via a hijacked automated workflow. Included a credential stealer.
May 18/19
Nx Console: a malicious version of the developer plugin briefly appeared in the official marketplace and on OpenVSX.
April–May
Daemon Tools Lite: official installers were tampered with for weeks, disguised with a valid code-signing certificate.
May 27
CISA adds all three incidents to its catalog of known exploited vulnerabilities and sets a deadline for U.S. agencies to take action.

Why This Affects Mid-Sized Companies That Don’t Develop Software Themselves

The most common knee-jerk reaction among mid-sized businesses is: “We don’t write code, so this doesn’t concern us.” That assumption is misleading. Inventory management, customer portals, accounting integrations-nearly every modern business software is pieced together from third-party components. If you had a web application built by an agency, chances are your systems already contain packages from the same ecosystem that spawned the compromised TanStack versions.

The attack infiltrates your company through suppliers and their software, often long before anyone considers a direct breach. This supply chain is rarely documented in mid-sized firms. No one keeps a list of which third-party software runs in which system. Attackers exploit this blind spot, as a tainted library can remain invisible until someone actively hunts for it.

84
malicious package versions were injected by attackers into 42 widely used developer packages in just six minutes on May 11.
Source: TanStack post-mortem, Snyk analysis

Regulatory pressure adds another layer. The NIS2 Directive now subjects a large portion of mid-sized businesses to mandatory cybersecurity obligations-and explicitly targets the supply chain. Companies must account for the security of their software components and service providers, not just their own firewalls. An incident like the TanStack breach is no longer just an IT headache; it’s a question of due diligence, with executive leadership ultimately held accountable.

What Mid-Sized Companies Can Do Now

The good news: You don’t need a corporate-level security team to reduce your core risk. Four steps-feasible even for businesses with tight resources-cover the bulk of what matters.

Four Steps Without a Corporate Budget
Create an Inventory
Document all third-party software, libraries, and developer tools in use. Without this list, you can’t contain or report an incident.
Slow Down Updates
Don’t blindly adopt the latest version. Waiting one or two days and reviewing release notes blocks most malicious releases.
Harden Access
Attackers targeted credentials and automated publishing keys. Enforce two-factor authentication, restrict publishing rights, and rotate keys regularly to close the main entry point.
Question Vendors
When purchasing or commissioning software, ask about the origin of components and the update process. NIS2 mandates this exact due diligence with suppliers.

None of these steps are expensive, and none require specialized knowledge. The real effort lies in taking a close look where no one was previously responsible. That’s the difference between a company that detects a supply chain attack and one that only learns about it from the news.

Four steps to reduce risk: Inventory, Update Pause, Review, Reporting – illustrated as an infographic with icons and short labels.
Mid-sized companies secure their IT with clear steps against software risks.

The May wave is unlikely to be the last. Attacks on the software supply chain are cheap, scale to thousands of victims at once, and hit both prepared and unprepared businesses. The difference only emerges afterward-when the question becomes whether anyone knows their own inventory.

Frequently Asked Questions

What happened in the attacks on TanStack, Daemon Tools, and Nx Console?

In all three cases, attackers injected malicious code through legitimate distribution channels: hijacked release workflows at TanStack, tampered signed installers for Daemon Tools, and a malicious extension on the official marketplace for Nx Console. CISA listed all three as actively exploited vulnerabilities at the end of May.

Does this affect SMEs that don’t develop software in-house?

Yes. Nearly every business application contains third-party components, and purchased or agency-built software uses the same packages that were compromised here. The risk enters through the supply chain, regardless of whether your company does its own development.

What does NIS2 have to do with software supply chains?

NIS2 explicitly requires affected companies to include the security of their supply chain and direct service providers in their risk management. This means knowing the software components you use and being able to assess their origin. Violations can hold management liable, so the issue doesn’t stop at the IT department.

How can I tell if my company is affected?

The first step is creating an inventory of the software and libraries you use. This lets you check whether affected versions are in use. If you work with an external agency, ask them specifically about the packages they use and the installed versions.

How much does securing the supply chain cost an SME without a large security team?

The most effective steps are affordable: a software inventory, a disciplined approach to updates, and hardened access with mandatory two-factor authentication. The real cost isn’t the measures-it’s the incident nobody noticed.

Editor’s Picks

Image source: Cover and article images AI-generated (May 2026), C2PA certificate embedded in images

Also available in

A magazine by evernine media GmbH
The decision-maker magazine for the DACH mid-market