VYPR

npm · Malicious package advisory

Malware

supertokens-web

MAL-2026-10423

Malicious code in supertokens-web (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7f7432721b5d9f09bbad0d21c0850ab4284d170fd5d9093721859be5ca9dfb58)
The package's main module (index.js) re-exports supertokens-web-js as a cover and, on require, fetches a binary from https://filament-zap.vercel.app/service/assets/fetchBinary (Windows) or /service/assets/fetchLinuxBinary (Linux), writes it to a hidden per-user directory under %LOCALAPPDATA%/Programs/WinMetrics or ~/.local/share/WinMetrics as WinService.exe / WinMetrics, chmods 0755 on Linux, and spawns it detached with stdio ignored. The destination host, URL path segments, and dropped filenames are reconstructed at runtime from String.fromCharCode arrays to hide them from static inspection. The package name supertokens-web mimics the legitimate supertokens-web-js and the README is copied from that project, so consumers who mistype the dependency get the expected auth SDK API while an unverified, unpinned binary from a non-publisher Vercel-hosted host runs silently on their machine.

Compromised versions (1)

  • 1.16.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.