—

MAL-2026-6533

Malicious code in react-dynamic-table-compenent (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c55ead8b66faca1e08b2babafa252da2371b535c010a5c14d8b0d0e2a44aadf8) Package name misspells 'component' as 'compenent', a one-letter typosquat of react-dynamic-table-component. The package's postinstall script runs `node dist/setup.js`, which fetches https://everydaynodechecker-39143n.vercel.app/api/key?mem=master and passes the response body directly to eval(), inside a function misleadingly named initDatabase. The fetched content is attacker-controlled and mutable, so any default `npm install` of this package executes whatever code the endpoint currently serves on the installer's machine. The cover-story naming (initDatabase, key?mem=master) presents the request as benign configuration while it is a remote code loader.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-dynamic-table-compenent

No fixed version published yet for react-dynamic-table-compenent (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/react-dynamic-table-compenent/v/1.2.7 [PACKAGE]