npm

supertokens-web @1.16.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10423

Ecosystem

npm

Summary

The package's main module (index.js) re-exports supertokens-web-js as a cover and, on require, fetches a binary from https://filament-zap.vercel.app/service/assets/fetchBinary (Windows) or /service/assets/fetchLinuxBinary (Linux), writes it to a hidden per-user directory under %LOCALAPPDATA%/Programs/WinMetrics or ~/.local/share/WinMetrics as WinService.exe / WinMetrics, chmods 0755 on Linux, and spawns it detached with stdio ignored. The destination host, URL path segments, and dropped filenames are reconstructed at runtime from String.fromCharCode arrays to hide them from static inspection. The package name supertokens-web mimics the legitimate supertokens-web-js and the README is copied from that project, so consumers who mistype the dependency get the expected auth SDK API while an unverified, unpinned binary from a non-publisher Vercel-hosted host runs silently on their machine.

Source: amazon-inspector (7f7432721b5d9f09bbad0d21c0850ab4284d170fd5d9093721859be5ca9dfb58)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.