MAL-2026-10444
Malicious code in markable-table (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fd358271f202636f12507f09da4e8f00c900ba46c9dca25a5a0526d35b75bf1d) markable-table@3.1.8 declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an identifier reconstructed from a char-code array ([101,118,97,108] = 'eval'), hiding the 'eval' token from plain-text scanners. The decoded payload fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0 and eval()s the response body at npm install time, giving the operator of that endpoint arbitrary code execution on any machine that runs `npm install`. The remote-fetch-and-eval, the obfuscation of both the 'eval' identifier and the destination URL, the non-first-party Vercel host, and the mismatch with the package's advertised markdown-table purpose (and typosquat of the popular 'markdown-table' package) together match the install-time-RCE dropper pattern.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for markable-table (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/markable-table/v/3.1.2 [PACKAGE]
- https://www.npmjs.com/package/markable-table/v/3.1.4 [PACKAGE]
- https://www.npmjs.com/package/markable-table/v/3.1.3 [PACKAGE]
- https://www.npmjs.com/package/markable-table/v/3.1.8 [PACKAGE]
- https://www.npmjs.com/package/markable-table/v/3.1.6 [PACKAGE]
- https://www.npmjs.com/package/markable-table/v/3.1.7 [PACKAGE]
- https://www.npmjs.com/package/markable-table/v/3.1.5 [PACKAGE]