FixVibe
FixVibe がカバーcritical

Malware in @tanstack/arktype-adapter Exfiltrates Credentials (CVE-2026-45321)

The TanStack npm supply-chain compromise included @tanstack/arktype-adapter versions 1.166.12 and 1.166.15. These package versions contained embedded malware; teams should remove them, rebuild cached install environments, and rotate credentials if either version was installed.

CVE-2026-45321GHSA-g7cv-rxg3-hmpxCWE-506

On May 11, 2026, malicious versions of multiple @tanstack/* npm packages were published during the TanStack supply-chain compromise [S1][S2]. For @tanstack/arktype-adapter, the affected versions are 1.166.12 and 1.166.15, with 1.166.16 listed as the clean follow-up release [S1].

Impact

If a developer workstation or CI runner installed one of the malicious versions, credentials available to that install process should be treated as potentially exposed [S2][S3]. That can include npm tokens, GitHub tokens, cloud credentials, SSH keys, deployment secrets, and other material present in the install environment. A dependency match is therefore urgent cleanup evidence, but it is not proof that a specific scanned environment executed the package or lost secrets.

Root Cause

The advisory class is embedded malicious code (CWE-506) in compromised npm package versions [S1][S3]. The incident involved a trusted-publisher supply-chain path rather than an application bug inside customer code, so remediation focuses on removing the malicious versions, rebuilding cached install artifacts, and reviewing credential exposure for environments that performed installs.

Covered by FixVibe

FixVibe GitHub repo scans can report package.json, package-lock.json, npm-shrinkwrap.json, yarn.lock, and pnpm-lock.yaml evidence that resolves @tanstack/arktype-adapter exactly to 1.166.12 or 1.166.15 [S1]. The finding is version-based advisory evidence. FixVibe does not run npm install, execute lifecycle scripts, download package tarballs, inspect developer or CI hosts, prove exfiltration, recover stolen credentials, or confirm that a running production application installed the package.

Remediation

Remove @tanstack/arktype-adapter versions 1.166.12 and 1.166.15, upgrade to 1.166.16 or a newer clean release, and regenerate the active lockfile from a trusted registry state [S1][S2]. Rebuild CI images, Docker layers, devcontainers, package-manager caches, and deployed artifacts that may have cached the malicious version. If either affected version was installed, rotate install-time credentials through the owning providers and review CI or developer install logs for unusual package activity [S2].

Malware in @tanstack/arktype-adapter Exfiltrates Credentials (CVE-2026-45321) — FixVibe research · FixVibe