OSV Malicious Advisory
scanned 54m ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10444 confirms this npm version as malicious. markable-table@3.1.8 declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an identifier reconstructed from a char-code array ([101,118,97,108] = 'eval'), hiding the 'eval' token from plain-text scanners. The decoded payload fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0 and eval()s the response body at npm...
Advisory
MAL-2026-10444
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in markable-table (npm)
Details
markable-table@3.1.8 declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an identifier reconstructed from a char-code array ([101,118,97,108] = 'eval'), hiding the 'eval' token from plain-text scanners. The decoded payload fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0 and eval()s the response body at npm install time, giving the operator of that endpoint arbitrary code execution on any machine that runs `npm install`. The remote-fetch-and-eval, the obfuscation of both the 'eval' identifier and the destination URL, the non-first-party Vercel host, and the mismatch with the package's advertised markdown-table purpose (and typosquat of the popular 'markdown-table' package) together match the install-time-RCE dropper pattern.
Decision reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgindex.jsView file
122*
L123: * With [`string-width`](https://github.com/sindresorhus/string-width):
L124: *
...
L173: const b4 = '[redacted]='
L174: const text = Buffer.from(b4, "base64").toString("utf-8");
L175: let nms = [101, 118, 97, 108]
High
Base64 Obscured Url
Source decodes a Base64-obscured HTTP endpoint at runtime.
index.jsView on unpkg · L122Findings
2 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighBase64 Obscured Urlindex.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings