The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, with an unusual composition that underscores a growing trend: attackers are increasingly targeting the software development toolchain itself.

The update, reported by Security Affairs, covers flaws in Daemon Tools, the TanStack JavaScript library, and the Nx Console IDE extension — a mix that spans both traditional desktop utilities and modern frontend developer tooling.

The Three Flaws

The vulnerabilities added to the catalog include:

  • CVE-2024-26782 — a directory traversal flaw in Daemon Tools, a long-standing Windows disk-imaging utility used by millions of end users and IT professionals alike.
  • CVE-2024-29001 — a prototype pollution vulnerability in TanStack, a widely adopted suite of open-source JavaScript libraries used for building React and Solid applications. Prototype pollution is a JavaScript-specific attack vector where an attacker manipulates an object's prototype properties, potentially allowing them to inject malicious code or alter application behaviour at runtime.
  • CVE-2024-35282 — a command injection flaw in Nx Console, a popular Visual Studio Code extension that provides integration with the Nx monorepo build system.

Why Developer Tools in KEV Matter

A KEV listing carries significant regulatory weight. Under Binding Operational Directive (BOD) 22-01, all U.S. federal civilian agencies are required to remediate catalogued vulnerabilities within specified deadlines. But the implications extend well beyond the federal sector — the catalog serves as a de facto reference list for vulnerability prioritisation across the private sector globally.

What makes this particular batch noteworthy is the presence of TanStack and Nx Console. JavaScript libraries and IDE extensions are not the kind of products typically associated with KEV additions, which have historically skewed toward enterprise infrastructure software such as Microsoft Exchange, Cisco networking gear, or Citrix gateways.

The inclusion of these tools signals that threat actors are moving upstream in the software supply chain — targeting the environments where developers write, build, and ship code rather than waiting to exploit the applications those developers produce.

Practical Guidance for Teams

Organisations should take the following steps in light of this update:

  1. Inventory affected software. Scan development workstations and CI/CD environments for installations of Daemon Tools, TanStack library dependencies (particularly via npm lockfiles), and the Nx Console VS Code extension.
  2. Apply vendor patches. Each of the three vendors has released updated versions addressing the respective flaws. Upgrading should be the first remediation action.
  3. Audit JavaScript dependency trees. Prototype pollution in a library like TanStack can have cascading effects across downstream applications. Teams should use tools such as npm audit or Snyk to identify transitive exposure.
  4. Extend vulnerability management to developer environments. Traditional vulnerability scanning often overlooks IDE extensions and frontend build tooling. This KEV update is a reminder that those blind spots carry real risk.

A Broader Trend

The composition of this latest KEV update reflects a pattern security researchers have been flagging for months. From compromised npm packages to malicious VS Code extensions, the software development lifecycle has become an attractive attack surface. Developer tools often run with elevated privileges, have access to source code and secrets, and — until recently — have received far less security scrutiny than production infrastructure.

For IT and security teams, the takeaway is clear: vulnerability management programmes that stop at servers and endpoints are no longer sufficient. The tools developers use every day now demand the same level of patch discipline and monitoring as any other piece of enterprise software.

美國網絡安全和基礎設施安全局(CISA)在其已知被利用漏洞(KEV)目錄中新增了三個正被積極利用的漏洞,其不尋常的組合突顯了一個日益明顯的趨勢:攻擊者正越來越頻繁地瞄準軟件開發工具鏈本身。

據安全事務(Security Affairs)報導,此次更新涵蓋了 Daemon Tools、TanStack JavaScript 程式庫以及 Nx Console IDE 擴充功能中的缺陷——這一組合跨越了傳統桌面實用工具與現代前端開發者工具。

三個漏洞

新增至目錄的漏洞包括:

  • CVE-2024-26782 — Daemon Tools 中的一個目錄遍歷漏洞。Daemon Tools 是一款歷史悠久的 Windows 磁碟映像工具,被數百萬終端用戶和 IT 專業人員使用。
  • CVE-2024-29001 — TanStack 中的一個原型污染漏洞。TanStack 是一個被廣泛採用的開源 JavaScript 程式庫套件,用於建構 React 和 Solid 應用程式。原型污染是一種 JavaScript 特有的攻擊向量,攻擊者透過操控物件的原型屬性,可能在運行時注入惡意程式碼或改變應用程式行為。
  • CVE-2024-35282 — Nx Console 中的一個命令注入漏洞。Nx Console 是一個流行的 Visual Studio Code 擴充功能,提供與 Nx 單一倉庫(monorepo)建構系統的整合。

開發工具進入 KEV 的重要性

被列入 KEV 具有重大的監管影響力。根據約束性操作指令(BOD)22-01,所有美國聯邦民政機構都需要在指定期限內修復目錄中列出的漏洞。但其影響遠不止於聯邦機構——該目錄在全球私營部門中,實際上已成為漏洞優先級排序的參考清單。

此批更新引人注目之處在於 TanStack 和 Nx Console 的出現。JavaScript 程式庫和 IDE 擴充功能並非傳統上與 KEV 新增項目掛鉤的產品類型;歷史上的 KEV 項目多偏向企業基礎設施軟件,例如 Microsoft Exchange、Cisco 網絡設備或 Citrix 閘道器。

這些工具的加入表明,威脅行為者正將觸角伸向軟件供應鏈的上游——瞄準開發者編寫、建構和發送代碼的環境,而非被動等待利用這些開發者所生產的應用程式。

團隊的實用指引

鑑於此更新,各組織應採取以下步驟:

  1. 盤點受影響軟件。 掃描開發工作站及 CI/CD 環境,檢查是否安裝了 Daemon Tools、TanStack 程式庫依賴項(特別是透過 npm 鎖定檔案)以及 Nx Console VS Code 擴充功能。
  2. 應用供應商修補程式。 三家供應商均已發布了修復相關缺陷的更新版本。升級應是首要的修復行動。
  3. 稽核 JavaScript 依賴樹。 像 TanStack 這類程式庫中的原型污染可能在下游應用中產生連鎖效應。團隊應使用 npm audit 或 Snyk 等工具來識別間接暴露風險。
  4. 將漏洞管理延伸至開發環境。 傳統的漏洞掃描常常忽略 IDE 擴充功能和前端建構工具。此次 KEV 更新提醒我們,這些盲點帶有真實風險。

更廣泛的趨勢

此次 KEV 更新的組合反映了安全研究人員數月來一直在警告的一種模式。從被入侵的 npm 套件到惡意的 VS Code 擴充功能,軟件開發生命周期已成為一個有吸引力的攻擊面。開發者工具通常以提升的權限運行,有權存取原始碼和機密資訊,而且直到最近,它們所受到的安全審查遠少於生產基礎設施。

對 IT 和安全團隊而言,啟示非常明確:僅限於伺服器和端點的漏洞管理計劃已不再足夠。開發者日常使用的工具現在需要與其他任何企業軟件一樣的修補紀律和監控水平。

新聞來源 / Original News Source