npm

markable-table @3.1.8

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10444

Ecosystem

npm

Summary

markable-table@3.1.8 declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an identifier reconstructed from a char-code array ([101,118,97,108] = 'eval'), hiding the 'eval' token from plain-text scanners. The decoded payload fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0 and eval()s the response body at npm install time, giving the operator of that endpoint arbitrary code execution on any machine that runs npm install . The remote-fetch-and-eval, the obfuscation of both the 'eval' identifier and the destination URL, the non-first-party Vercel host, and the mismatch with the package's advertised markdown-table purpose (and typosquat of the popular 'markdown-table' package) together match the install-time-RCE dropper pattern.

Source: amazon-inspector (fd358271f202636f12507f09da4e8f00c900ba46c9dca25a5a0526d35b75bf1d)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.