FixVibe

// código / holofote

TanStack ArkType Adapter Malware Advisory

Known malicious npm package versions can put CI and developer secrets at install-time risk.

A pegada

Supply-chain malware is different from a normal dependency bug: the dangerous action can happen during installation, before the application ever starts. For @tanstack/arktype-adapter, the repo evidence that matters most is whether a project resolves to one of the malicious published versions.

Como funciona

The repo check looks for the npm package `@tanstack/arktype-adapter` in package manifests and lockfiles. Exact manifest declarations and lockfile-resolved versions are reported when they match 1.166.12 or 1.166.15, the affected versions listed by the TanStack and GitHub advisories.

O raio de impacto

If either malicious version was installed in a developer workstation or CI environment, credentials available to that install process should be treated as potentially exposed. A repo match should trigger package cleanup, cache/image rebuilds, and credential-impact review, but it is not proof that FixVibe observed exfiltration or host compromise.

// o que o fixvibe verifica

O que o FixVibe verifica

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Defesas blindadas

Upgrade @tanstack/arktype-adapter to 1.166.16 or a newer clean release, or remove it if unused. Regenerate the active lockfile from a trusted registry state, rebuild CI images, Docker layers, devcontainers, and dependency caches, then rotate install-time credentials if either malicious version was ever installed.

// rode no seu próprio app

Continue publicando enquanto o FixVibe vigia.

O FixVibe pressiona a superfície pública do seu app do jeito que um atacante faria — sem agente, sem instalação, sem cartão. Continuamos pesquisando novos padrões de vulnerabilidade e transformando isso em checks práticos e fixes prontos para Cursor, Claude e Copilot.

Código fonte
116
testes nessa categoria
módulos
76
checks dedicados de código fonte
todo scan
487+
testes em todas as categorias
  • Grátis — sem cartão, sem instalação, sem ping de Slack
  • Só colar uma URL — a gente crawla, sonda e reporta
  • Achados classificados por severidade, deduplicados no sinal
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Rodar um scan grátis

// checks atuais · fixes práticos · publique com confiança

TanStack ArkType Adapter Malware Advisory — Holofote de Vulnerabilidade | FixVibe · FixVibe