I scanned 30 Supabase repos this morning and found 3 production-grade leaks (one with service_rol…

1 / 2

I scanned 30 Supabase repos this morning and found 3 production-grade leaks (one with service_role committed)

DEV Community·Perufitlife·21 days ago

#8Ghwspk2

#supabase #security #repos #anon #article #englishlanguage

Reading 0:00

15s threshold

TL;DR This morning I ran a wider sweep of public GitHub repos that import @supabase/supabase-js and have anything resembling an anon key (or worse, a service_role key) in committed code. Out of ~30 repos I probed (responsibly — counts only, no row contents), three had production-grade leaks : A Chinese AI paper-writing tool with 1,669 stars and 1,843 user profile records readable anonymously. Two indie-SaaS repos with the service_role key committed to .env.local — meaning anyone who finds the repo can read/write/delete every row in their database. All three got responsible-disclosure pings (private email or GitHub issue) with a free DIY fix walkthrough + a paid turnkey option. We'll see what happens. This post is about the method + monetization frame , not naming specific projects. If you want to scan your own project, the CLI is open source: @perufitlife/supabase-security . The method (90 seconds per repo) # 1.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

I scanned 30 Supabase repos this morning and found 3 production-grade leaks (one with service_role committed)