FixVibe

// code / spotlight

TanStack ArkType Adapter Malware Advisory

Known malicious npm package versions can put CI and developer secrets at install-time risk.

Der Köder

Supply-chain malware is different from a normal dependency bug: the dangerous action can happen during installation, before the application ever starts. For @tanstack/arktype-adapter, the repo evidence that matters most is whether a project resolves to one of the malicious published versions.

So funktioniert's

The repo check looks for the npm package `@tanstack/arktype-adapter` in package manifests and lockfiles. Exact manifest declarations and lockfile-resolved versions are reported when they match 1.166.12 or 1.166.15, the affected versions listed by the TanStack and GitHub advisories.

Die Auswirkungen

If either malicious version was installed in a developer workstation or CI environment, credentials available to that install process should be treated as potentially exposed. A repo match should trigger package cleanup, cache/image rebuilds, and credential-impact review, but it is not proof that FixVibe observed exfiltration or host compromise.

// was fixvibe prüft

Was FixVibe prüft

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Wasserdichte Verteidigung

Upgrade @tanstack/arktype-adapter to 1.166.16 or a newer clean release, or remove it if unused. Regenerate the active lockfile from a trusted registry state, rebuild CI images, Docker layers, devcontainers, and dependency caches, then rotate install-time credentials if either malicious version was ever installed.

// lass es auf deiner eigenen App laufen

Ship weiter, während FixVibe mitwacht.

FixVibe testet die öffentliche Oberfläche deiner App so unter Druck, wie ein Angreifer es tun würde — ohne Agent, ohne Installation, ohne Karte. Wir recherchieren laufend neue Schwachstellenmuster und machen daraus praktische Checks und kopierfertige Fixes für Cursor, Claude und Copilot.

Quellcode
116
Tests in dieser Kategorie
Module
76
dedizierte quellcode-Prüfungen
pro Scan
487+
Tests über alle Kategorien
  • Kostenlos — keine Karte, keine Installation, kein Slack-Ping
  • Einfach URL einfügen — wir crawlen, prüfen und reporten
  • Findings nach Schweregrad sortiert, auf Signal dedupliziert
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Kostenlosen Scan starten

// aktuelle Checks · praktische Fixes · mit Vertrauen shippen

TanStack ArkType Adapter Malware Advisory — Vulnerability-Spotlight | FixVibe · FixVibe