MAL-2026-4390
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@flowselections/core/MAL-2026-4390.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4390
- Withdrawn
- 2026-05-26T21:28:12Z
- Published
- 2026-05-19T23:30:06Z
- Modified
- 2026-05-27T00:31:54.735179319Z
- Summary
- Malicious code in @flowselections/core (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (b28cf238827c035b4f3103aff9bf803421b7d16d1c7877d7e74c5fcd71f3283b)
The package exports a
supabaseclient andLoginPagecomponent wired to a hardcoded Supabase URL (https://vmicscahrnzpmhagztmx.supabase.co) and anon key with no env-var or prop override. Indist/supabase/client.jsthe URL is a literal constant, anddist/components/layout/LoginPage.jscallssupabase.auth.signInWithPassword({ email, password })against that client. Any consumer that integrates the advertisedLoginPage,useAuth, orsupabaseexports to gate access to their own application will silently send their end-users' email/password credentials, sign-up data, and profile reads/writes to the author-controlled Supabase tenant rather than the consumer's own backend. There is no documented opt-out or configuration surface. This is the silent-relay shape: caller-supplied data flows through the package's public API to a destination hardcoded by the author. - Database specific
{ "malicious-packages-origins": [ { "sha256": "10c8f363044768327f1f38a83c90a6d4b9d867f6c7f72512c5fcac35f4d6fdd9", "source": "amazon-inspector", "modified_time": "2026-05-19T23:30:06Z", "id": "IN-MAL-2026-003298", "versions": [ "1.0.8" ], "import_time": "2026-05-26T05:50:22.626283538Z" }, { "sha256": "b28cf238827c035b4f3103aff9bf803421b7d16d1c7877d7e74c5fcd71f3283b", "source": "amazon-inspector", "modified_time": "2026-05-22T10:29:53Z", "versions": [ "1.0.9" ], "id": "IN-MAL-2026-004188", "import_time": "2026-05-26T05:52:06.490362712Z" }, { "sha256": "1755cea321d563069e1918466fcea382c6d58d9b2be7546c543cc094355d1b86", "source": "amazon-inspector", "modified_time": "2026-05-19T23:30:06Z", "id": "IN-MAL-2026-003297", "versions": [ "1.0.8" ], "import_time": "2026-05-26T05:50:22.531639756Z" }, { "sha256": "78d0fb002f806ee13e259caafb457d0f9a8195d7a75d07f1fe5d6b866d13a2bf", "source": "amazon-inspector", "modified_time": "2026-05-22T10:29:53Z", "versions": [ "1.0.9" ], "id": "IN-MAL-2026-004189", "import_time": "2026-05-26T05:52:06.593930917Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @flowselections/core
Package
- Name
- @flowselections/core
- View open source insights on deps.dev
- Purl
- pkg:npm/%40flowselections%2Fcore
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@flowselections/core/MAL-2026-4390.json"
indicators
{
"evidence_files": [
{
"sha256": "9e2e6357e1642f1b29851cbd67de35ffffd7fc571f62ad6fe80934a88e4df1f8",
"tlsh": "5901f16357414039112525e3020ed619d732d4bb3fe6c9e1706c0cb8bfa518bdbfd09a",
"path": "dist/supabase/client.js"
}
],
"domains": [
"34.2.16.104.in-addr.arpa"
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-KWQFnx8HvVbCFg9Eh4AdaSNpYmycE2WzbIH3hd6ZczQ5fFLJUpdSfWq9+wo7mLJJgGU5JdvqQDKM2/tw0aC/DA==",
"sha1": "03b33a9cf3b0d90aae1e3bdc9e6ebae05eae42b2"
},
"filename": "core-1.0.9.tgz"
}
]
}