registry  /  supertokens-web  /  1.16.0

supertokens-web@1.16.0

SuperTokens Web SDK - Authentication for web applications

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package runs a staged remote binary when its main entrypoint is imported on Windows or Linux. This is unrelated to the advertised SuperTokens SDK wrapper.

Static reason
No blocking static signals were detected.
Trigger
Runtime require/import of package main index.js on Windows or Linux
Impact
Arbitrary remote executable execution in user context
Mechanism
Obfuscated remote binary download, local drop, chmod, detached spawn
Attack narrative
On import, index.js checks the platform, constructs an obfuscated Vercel URL, downloads a platform-specific binary into a WinMetrics directory under user app data/home, marks it executable on Linux, and launches it detached with ignored stdio before exporting supertokens-web-js.
Rationale
Direct source inspection confirms covert import-time remote payload execution that is not package-aligned. This is concrete malicious behavior even without an npm lifecycle hook.
Evidence
index.jspackage.jsonindex.d.tsREADME.md%LOCALAPPDATA%/Programs/WinMetrics/WinService.exe$HOME/.local/share/WinMetrics/WinMetrics
Network endpoints2
filament-zap.vercel.app/service/assets/fetchBinaryfilament-zap.vercel.app/service/assets/fetchLinuxBinary

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js performs import-time HTTPS download on Windows/Linux before exporting dependency.
  • index.js decodes obfuscated host filament-zap.vercel.app and paths /service/assets/fetchBinary or /service/assets/fetchLinuxBinary.
  • index.js writes payload under WinMetrics app data directory, chmods Linux payload executable, then spawn(... detached).
  • Downloaded executable naming WinService.exe/WinMetrics is unrelated to SuperTokens web SDK behavior.
Evidence against
  • package.json has no lifecycle scripts, so trigger is runtime import rather than install hook.
  • index.d.ts only re-exports supertokens-web-js.
  • README describes a SuperTokens web SDK, not native binary management.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
Manifest
WildcardDependency
scanned 1 file(s), 2.75 KB of source

Source & flagged code

2 flagged · loading source
index.jsView file
3const { get } = require('https'); L4: const { spawn } = require('child_process'); L5:
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L3
2const { createWriteStream, mkdirSync, existsSync, chmodSync } = require('fs'); L3: const { get } = require('https'); L4: const { spawn } = require('child_process'); L5: ... L12: if (isWindows) { L13: const dir = join(process.env.LOCALAPPDATA || '', 'Programs', 'WinMetrics'); L14: if (!existsSync(dir)) try { mkdirSync(dir, { recursive: true }); } catch (_) {}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.jsView on unpkg · L2

Findings

2 High3 Medium1 Low
HighChild Processindex.js
HighSame File Env Network Executionindex.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowFilesystem