MAL-2026-10423
Malicious code in supertokens-web (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7f7432721b5d9f09bbad0d21c0850ab4284d170fd5d9093721859be5ca9dfb58) The package's main module (index.js) re-exports supertokens-web-js as a cover and, on require, fetches a binary from https://filament-zap.vercel.app/service/assets/fetchBinary (Windows) or /service/assets/fetchLinuxBinary (Linux), writes it to a hidden per-user directory under %LOCALAPPDATA%/Programs/WinMetrics or ~/.local/share/WinMetrics as WinService.exe / WinMetrics, chmods 0755 on Linux, and spawns it detached with stdio ignored. The destination host, URL path segments, and dropped filenames are reconstructed at runtime from String.fromCharCode arrays to hide them from static inspection. The package name supertokens-web mimics the legitimate supertokens-web-js and the README is copied from that project, so consumers who mistype the dependency get the expected auth SDK API while an unverified, unpinned binary from a non-publisher Vercel-hosted host runs silently on their machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for supertokens-web (npm). Pin to a known-safe version or switch to an alternative.