VDB
KO

MAL-2026-10444

Malicious code in markable-table (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fd358271f202636f12507f09da4e8f00c900ba46c9dca25a5a0526d35b75bf1d) markable-table@3.1.8 declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an identifier reconstructed from a char-code array ([101,118,97,108] = 'eval'), hiding the 'eval' token from plain-text scanners. The decoded payload fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0 and eval()s the response body at npm install time, giving the operator of that endpoint arbitrary code execution on any machine that runs `npm install`. The remote-fetch-and-eval, the obfuscation of both the 'eval' identifier and the destination URL, the non-first-party Vercel host, and the mismatch with the package's advertised markdown-table purpose (and typosquat of the popular 'markdown-table' package) together match the install-time-RCE dropper pattern.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / markable-table

No fixed version published yet for markable-table (npm). Pin to a known-safe version or switch to an alternative.

References