Intressting discovery:

I just hit the "Redeploy" button in the dev branch.

For the next 20 minutes everything was working correctly.

After the 20 minutes it was redirecting to the malicious site

Are you using Cloudflare?

You can try seeing if the redirect hits Railway http logs, if not, it is happening in a upstream provider (like cloudflare or other proxy)

yes i use cloudflare

I would also ask you to check your CNAME records on that subdomain

i just did it again with the redeploy now everything is normal

checking

i only have one, and that links to railway ….up.railway.app

and its the same as displayed as in railway

unfortunaly (or luckly, idk :D) it cant be reproduced right now

Are you fully proxying the CNAME on CF? (Orange Cloud)

If it happens again I would say to make it "DNS only" (Grey Cloud) and check if it persists

But yeah, really interesting and weird issue.

yes full proxied

ok will try it then with dns only

ty - will keep you updated

It’s redirecting to the malicious website again.
I’ve switched it to DNS-only, but that didn’t change anything.
I’ll leave it to DNS-only and try to login again in about an hour.

The only thing that has worked so far was redeploying the dev environment, but that fix only lasted for a unspecific time.

update: nothing changed

⁨ @calcom/embed-react ^1.5.3 @radix-ui/react-navigation-menu ^1.2.14 date-fns ^4.1.0 i18n-iso-countries ^7.14.0 react-day-picker ^9.11.1 supabase (updated from ^2.39.2) ^2.58.5 ⁩

these are the npm packages i added or changed compared to the main branch.

this is the route where it gets redirect (/auth/callback)

⁨```ts
import { createClient } from "@/lib/supabase/server";
import { NextResponse } from "next/server";
import { isAuthenticated } from "@/actions/is-authenticated";
// The client you created from the Server-Side Auth instructions

export async function GET(request: Request) {
const { searchParams, origin } = new URL(request.url);
const code = searchParams.get("code");
// if "next" is in param, use it as the redirect URL
const next = searchParams.get("next") ?? "/";

if (code) {
const supabase = await createClient();
const { error } = await supabase.auth.exchangeCodeForSession(code);
if (!error) {
// Use the isAuthenticated function to check if user has a profile
const extendedUser = await isAuthenticated();

  // If user has a profile (is authenticated with extended user data), redirect to dashboard
  // Otherwise, use the next parameter
  const redirectPath = extendedUser ? "/dashboard" : next;

  const forwardedHost = request.headers.get("x-forwarded-host"); // original origin before load balancer
  const isLocalEnv = process.env.NODE_ENV === "development";
  if (isLocalEnv) {
    // we can be sure that there is no load balancer in between, so no need to watch for X-Forwarded-Host
    return NextResponse.redirect(`${origin}${redirectPath}`);
  } else if (forwardedHost) {
    return NextResponse.redirect(`https://${forwardedHost}${redirectPath}`);
  } else {
    return NextResponse.redirect(`${origin}${redirectPath}`);
  }
}

}

// return the user to an error page with instructions
return NextResponse.redirect(${origin}/auth/auth-code-error);
}
```⁩

https://www.reddit.com/r/CloudFlare/s/Vz0i3bUnZ9

The Supabase support team sent me this

I will also try to update all dependencies

i updated react 19.0.0 to 19.2.4 (latest) which hopefully fixes this issue.

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

i thought 19.0.0 would fix this but looks like this was not enough. Blog was also updated with new vulnerabilities last week.

will give an update in about an hour to make sure this fixes it.

This is not related to Railway, I don't know where's the origin of this, but I'm intrigued to see the solution so keep me updated

It was the react version, so we can close this issue. pretty strange but yeah..