Fake Supabase project-paused / migration-rollback service-role-key harvest lure — "Your Supabase project has been paused; migration rollback required to restore the database — reactivate within 7 days or your service-role / anon key will be invalidated" targeting developers who hit the inactivity-pause threshold. Free-tier auto-pause is a real Supabase behavior, lending the phish narrative immediate credibility. The fake dashboard harvests `service_role` (full Postgres bypass) + `anon` keys + RLS policy details. Real Supabase project lifecycle notifications come from supabase.com / app.supabase.com and never demand key re-input via email link. Source: GC1 R7 multiagent council (S5 SaaS specialist).

Fake Supabase project-paused / migration-rollback service-role-key harvest lure targeting developers using Supabase as their Postgres + Auth + Storage backend. The phish narrative arrives as: "Your Supabase free-tier project has been paused — a migration rollback is required to restore the database — reactivate within 7 days or your service-role and anon key will be invalidated," or "Supabase has detected a migration failure — restore your project and rollback the migration to recover RLS policies." Free-tier auto-pause IS a real Supabase product behavior (projects pause after a week of inactivity on the free tier and require an explicit reactivation), and Supabase did ship migration-rollback tooling through 2025-2026, lending the phish narrative immediate credibility — even experienced Supabase developers can mistake the lookalike for a routine lifecycle reminder. The fake dashboard harvests `service_role` (full Postgres bypass — the most powerful key Supabase issues, capable of reading every row in every table including RLS-protected user data) plus `anon` keys plus the project-ID and RLS policy details. Compromised service-role keys allow attackers to (1) exfiltrate full user databases (auth tables, application data, file metadata in Supabase Storage), (2) drop RLS policies and impersonate any user, (3) insert malicious rows / triggers / functions, (4) pivot to whatever third-party integrations the project trusts. Real Supabase project lifecycle notifications come from supabase.com / app.supabase.com with DMARC pass; Supabase never demands key re-input via inbound email link, never sets 7-day rollback deadlines via email, and provides project lifecycle controls through the dashboard UI directly. Distinct from generic SaaS "your account is suspended" phish — the regex requires Supabase-specific RLS / service-role / anon-key / migration vocabulary plus rollback / restore / reactivate / recover urgency. Fires when body references Supabase / project paused / migration / service-role / anon key / RLS / RLS policy AND contains rollback / restore / reactivate / recover / action-required urgency. Excludes supabase.com, supabase.io, app.supabase.com. Source: GC1 R7 multi-agent council (S5 SaaS specialist).