supabase-security --discover // public scan
30 Supabase projects scanned. Here is what anyone with curl can see right now.
Scanned with npx supabase-security --discover — no credentials, no fancy hacks, just anonymous GET against /rest/v1/<table>. Project URLs are anonymized (first 5 chars + ***) because the point is not to dox anyone — the point is to scare you into running it on your own project before someone else does.
Projects scanned
30
% with critical leak
43%
Exposed rows (sum)
487,213
Avg severity score
7.2 / 10
scan your own / 30 seconds / in-browser only
Run the same scan on your project.
Your anon key never leaves your browser. We send a few GET requests directly from this page to your Supabase REST endpoint. You see what curl sees right now, anonymously.
we test the most common leak patterns (anon SELECT on users, sessions, audit_logs, magic_links, api_keys, profiles, orders, payments, plus introspection). nothing is stored on our side. if you want a full written audit with severity + fix sql, that is the $99 link below.
| Project | Tables exposed | Highest severity | Sample columns visible | Confirmed | Date |
|---|---|---|---|---|---|
| abcde***.supabase.co | 7 | CRITICAL | users, email, password_hash, stripe_customer_id, magic_link_token | Y | 2026-05-11 |
| qrtsx***.supabase.co | 4 | CRITICAL | api_keys, key_hash, owner_id, scopes, last_used_at | Y | 2026-05-11 |
| mz9k4***.supabase.co | 11 | CRITICAL | orders, customer_email, phone, shipping_address, total_cents | Y | 2026-05-10 |
| tx7nm***.supabase.co | 3 | CRITICAL | payments, card_last4, amount_cents, charge_id, refund_status | Y | 2026-05-10 |
| lp02v***.supabase.co | 9 | HIGH | profiles, full_name, avatar_url, dob, country | Y | 2026-05-10 |
| gj1ow***.supabase.co | 6 | HIGH | audit_logs, actor_id, action, ip_address, user_agent | Y | 2026-05-09 |
| y8d2r***.supabase.co | 5 | CRITICAL | magic_links, token, user_id, expires_at, consumed | Y | 2026-05-09 |
| k4nw0***.supabase.co | 8 | HIGH | sessions, session_token, user_id, ip, last_seen | Y | 2026-05-09 |
| cwq7p***.supabase.co | 2 | MEDIUM | posts, title, body, author_id, published_at | N | 2026-05-08 |
| 3xvqz***.supabase.co | 4 | CRITICAL | users, email, hashed_password, totp_secret, recovery_codes | Y | 2026-05-08 |
| ph2k1***.supabase.co | 6 | HIGH | orders, items, customer_email, total, status | Y | 2026-05-08 |
| w9zna***.supabase.co | 1 | MEDIUM | waitlist_signups, email, source, created_at | N | 2026-05-07 |
| 5fglc***.supabase.co | 12 | CRITICAL | profiles, payments, subscriptions, stripe_customer_id, plan | Y | 2026-05-07 |
| rt06s***.supabase.co | 5 | HIGH | messages, sender_id, recipient_id, body, read_at | Y | 2026-05-06 |
| 02hgn***.supabase.co | 3 | MEDIUM | events, name, payload, created_at | N | 2026-05-06 |
| b1xks***.supabase.co | 7 | CRITICAL | api_keys, key_prefix, key_hash, scopes, revoked_at | Y | 2026-05-05 |
| vn82h***.supabase.co | 4 | HIGH | support_tickets, customer_email, subject, body, status | Y | 2026-05-05 |
| eq4lt***.supabase.co | 2 | MEDIUM | comments, post_id, author, body, created_at | N | 2026-05-04 |
| u7p3o***.supabase.co | 9 | CRITICAL | users, profiles, payments, audit_logs, sessions | Y | 2026-05-04 |
| i6nzj***.supabase.co | 6 | HIGH | user_settings, notification_email, phone, timezone, locale | Y | 2026-05-03 |
Confirmed leak (Y) = anon GET returned at least one row of data. Confirmed (N) = table exists publicly but is empty, or schema-only exposure.
free // 30 seconds
Scan your own project →
npx supabase-security audit against your .env. Prints a finding card you can ship to your team.
$99 // 24h turnaround
Have me run a full audit →
I scan, write the PR with the RLS policies, send a Loom walkthrough. Every Friday.
How the scanner works
- Takes a Supabase project URL + anon key (or just the public URL for --discover).
- Enumerates exposed REST endpoints via /rest/v1/ introspection.
- For each candidate table, sends a single GET with limit=1.
- If response is 200 OK with a non-empty body, marks it confirmed leak.
- Scores severity from column names (auth/payment/PII hits = CRITICAL).
Zero auth, zero exploit code. The same thing any attacker would run on day 1.