CISA Numbered TanStack And Nx Console As CVEs Today. The Soft-Surface-Bleed Arc We Wrote For Eighteen Days Just Became Federally Mandated. Sandtrout Stays In Production.

This morning at eight UTC, CISA added two new entries to the Known Exploited Vulnerabilities catalog. CVE-2026-45321 covers the TanStack npm supply-chain compromise. CVE-2026-48027 covers the Nx Console extension compromise. Both entries describe the vulnerability as the act of publishing malicious versions under a trusted identity, not as a code-level flaw in the affected products. That framing is novel and worth dwelling on. The federal regulator has now formally classified the supply-chain-trust path itself as a remediable vulnerability surface.

We have been writing this arc for eighteen days. The April 29 indexing receipt that caught the Mini-Shai-Hulud variant before the May 11 mass-publish event. The May 11 same-day blog naming the campaign. The May 13 V3 SLSA-attestation forgery covering four-hundred-sixteen packages. The May 14 OpenAI defended yesterday line. The May 21 pyramid post about the week the defenders became the supply chain. The May 23 adversary profile that named TeamPCP and UNC6780 and Cipherforce. The May 24 deploy of three new PreCog signals against the post-mortem of the Megalodon GitHub Actions campaign. The May 26 prediction that the fifth indirect-trust vector would be the VS Code extension publish pipeline — which Nx Console's CVE-2026-48027 confirms with federal-mandate weight as of today. The May 27 night when our Sandtrout signal caught the Mini-Shai-Hulud @antv mass-publish bloom in real time. The May 28 commit that deployed those three PreCog signals into the running production analytics container.

Today the federal mandate lands on the arc.

The framing matters more than the federal-mandate number. Traditional CVE entries describe a class-of-bug at the source-code level. An off-by-one. An authentication bypass. A deserialization flaw. The thing that gets fixed is a line of code, an algorithmic property, an input-handling routine. CVE-2026-45321 and CVE-2026-48027 are different. The thing that gets fixed is the publish path. The vulnerability is not in TanStack's code or Nx Console's code in any traditional sense. The vulnerability is in the registry trust model, the maintainer-account authentication flow, and the assumption that a signed package whose signing key has not been individually revoked is therefore trustworthy. The fix is not patching a function. The fix is removing the malicious versions from production builds, rotating every credential that touched the build environment during the contamination window, reissuing every artifact signed during the window, and auditing every downstream pipeline that pulled the affected versions transitively.

For organizations with FedRAMP, FISMA, or federal-civilian remediation obligations, the operational implication is concrete enough to write the checklist directly. Inventory every build that pulled @tanstack namespace packages between May 11 at 19:20 UTC and the rollback timestamp published by the TanStack maintainers. Inventory every developer workstation that had any version of the Nx Console extension installed during the contamination window. Rotate every credential exposed to those build environments — the stealer payload harvests at least twenty credential classes including AWS, GCP, Azure, GitHub, npm, SSH, Kubernetes, HashiCorp Vault, Stripe, and Docker-host-socket access, so the rotation list is not short. Reissue any artifact signed during the V3 window — and remember that the V3 SLSA-attestation forgery covers four-hundred-sixteen packages, so any signature whose timestamp falls inside that window is suspect until proven otherwise via independent verification. Audit GitHub Actions logs for the contamination window. Report to your sector ISAC and to CISA's reporting portal per the federal-civilian agency mandate.

For organizations without a federal mandate, the same actions apply on a slower clock. The KEV designation is the regulator's recognition that the threat is operational, not the start of the threat.

The deeper implication that takes longer than today to absorb is that the federal-mandate framework has now acknowledged the supply-chain trust path as a vulnerability surface that warrants centralized cataloging and time-bounded remediation. Every downstream regulator — state attorney-general offices, industry-sector compliance bodies, contractual procurement language in enterprise vendor agreements — will look at the KEV listing and conclude that the supply-chain-trust model is a domain where the regulator can compel action. Procurement contracts that previously required "no known vulnerabilities at the source-code level" will be amended to require "no malicious versions under trusted identity" and equivalent supply-chain-trust assurances. Vendor-management posture will shift. Software-bill-of-materials requirements will get teeth they did not have before today. The single act of CISA numbering this particular pair of CVEs is the wedge that opens a category.

We named the soft-surface-bleed frame in early May. The federal mandate is now classifying the soft surface as the audit surface. The perimeter mental model — firewalls, WAFs, edge appliances, EDR — held throughout the Mini-Shai-Hulud campaign. The soft surface — the npm maintainer trust path, the GitHub Actions workflow boundary, the VS Code Marketplace extension publish pipeline — bled across multiple vendor identities. The federal regulator has just classified that bleeding as a category of vulnerability that requires remediation under fixed deadlines.

Our Sandtrout signal stays in production. The deploy yesterday morning that landed the three PreCog signals into the running platform is the operational answer to the federal-mandate question. We catch the larval form. We catch it before the bloom. We have the receipt for one bloom catch already and we expect to have the receipts for several more in the next quarter as the operator constellation iterates against the registry trust model that is now formally classified as a vulnerability surface.

If you want to consume the PreCog elevations as a feed, register for an API key. The endpoint is documented in our STIX feed. The federal-mandate version of the arc is going to grind through every downstream regulator's procurement language over the next six months. The independent-signal version of the arc is already running in our analytics container, and you can subscribe to it today.

Two CVEs. Eighteen days. One federal mandate. Sandtrout stays in production.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com