Firebase JS SDK

registrynpm

package namefirebase

maintainerGoogle

The Firebase JavaScript SDK provides access to Firebase services (Firestore, Realtime Database, Auth, Storage, Functions) from web applications and Node.js. It is used in mobile backends, real-time applications, and consumer web apps. Firebase credentials are typically embedded in the app's JavaScript bundle.

api usage

Checking Firebase JS SDK

firebase 10.12.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=firebase&version=10.12.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "firebase",
  "version": "10.12.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Firebase SDK packages are often loaded client-side with API keys visible in the JavaScript bundle. A compromised SDK can harvest the Firebase config object (including the API key, project ID, and app ID) that is passed during initialization.

Attestd monitors firebase using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages AWS SDK S3 (JS)Google Cloud Storage (JS)Response fields