My thought exactly. Is this standard practice with using Supabase to simply expose the production database endpoint to the world with only RLS to protect you?
This is a pretty amazing exploit by the attackers. Either they had access to the pagers during shipment and installed malware or had access to RCE on the devices.