The three flaws aren't new code bugs so much as poisoned distribution. DAEMON Tools Lite (CVE-2026-8398) shipped trojanized installers — signed with legitimate certificates — after someone breached the vendor's build pipeline. TanStack (CVE-2026-45321) is the npm campaign the digest has tracked for weeks: attackers abused a trusted-publisher GitHub Actions workflow to push 84 malicious versions across the router packages under TanStack's own identity. Nx Console (CVE-2026-48027) is the newcomer here — a booby-trapped extension build sat on the Visual Studio Marketplace and OpenVSX for barely half an hour, which was long enough. What changed on the 27th is the federal mandate. KEV listing means civilian agencies now have a hard deadline to remove or remediate, and it's the clearest signal yet that these campaigns moved past proof-of-concept into real exploitation. If you pulled any of these — the DAEMON installer between April and May, a TanStack router update, or that Nx Console build — assume harvested tokens and rotate. Signed binaries and a trusted publisher badge bought the attackers exactly the trust they needed.