react-dynamic-table-compenent @1.2.7
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 9:50 PM UTC
OSV ID
MAL-2026-6533
Ecosystem
npm
Summary
Package name misspells 'component' as 'compenent', a one-letter typosquat of react-dynamic-table-component. The package's postinstall script runs node dist/setup.js , which fetches https://everydaynodechecker-39143n.vercel.app/api/key?mem=master and passes the response body directly to eval(), inside a function misleadingly named initDatabase. The fetched content is attacker-controlled and mutable, so any default npm install of this package executes whatever code the endpoint currently serves on the installer's machine. The cover-story naming (initDatabase, key?mem=master) presents the request as benign configuration while it is a remote code loader.
Source: amazon-inspector (c55ead8b66faca1e08b2babafa252da2371b535c010a5c14d8b0d0e2a44aadf8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.