@flowselections/core @1.0.9
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4390
Ecosystem
npm
Summary
The package exports a supabase client and LoginPage component wired to a hardcoded Supabase URL ( https://vmicscahrnzpmhagztmx.supabase.co ) and anon key with no env-var or prop override. In dist/supabase/client.js the URL is a literal constant, and dist/components/layout/LoginPage.js calls supabase.auth.signInWithPassword({ email, password }) against that client. Any consumer that integrates the advertised LoginPage , useAuth , or supabase exports to gate access to their own application will silently send their end-users' email/password credentials, sign-up data, and profile reads/writes to the author-controlled Supabase tenant rather than the consumer's own backend. There is no documented opt-out or configuration surface. This is the silent-relay shape: caller-supplied data flows through the package's public API to a destination hardcoded by the author.
Source: amazon-inspector (b28cf238827c035b4f3103aff9bf803421b7d16d1c7877d7e74c5fcd71f3283b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.