OSV Malicious Advisory
scanned 53m ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10444 confirms this npm version as malicious. markable-table@3.1.8 declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an identifier reconstructed from a char-code array ([101,118,97,108] = 'eval'), hiding the 'eval' token from plain-text scanners. The decoded payload fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0 and eval()s the response body at npm...
Advisory
MAL-2026-10444
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in markable-table (npm)
Details
markable-table@3.1.8 declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an identifier reconstructed from a char-code array ([101,118,97,108] = 'eval'), hiding the 'eval' token from plain-text scanners. The decoded payload fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0 and eval()s the response body at npm install time, giving the operator of that endpoint arbitrary code execution on any machine that runs `npm install`. The remote-fetch-and-eval, the obfuscation of both the 'eval' identifier and the destination URL, the non-first-party Vercel host, and the mismatch with the package's advertised markdown-table purpose (and typosquat of the popular 'markdown-table' package) together match the install-time-RCE dropper pattern.
Decision reason
OpenSSF Malicious Packages via OSV confirms markable-table@3.1.2 as malicious (MAL-2026-10444): Malicious code in markable-table (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory