registry  /  markable-table  /  3.1.4

markable-table@3.1.4

Generate a markdown (GFM) table

OSV Malicious Advisory

scanned 54m ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10444 confirms this npm version as malicious. markable-table@3.1.8 declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an identifier reconstructed from a char-code array ([101,118,97,108] = 'eval'), hiding the 'eval' token from plain-text scanners. The decoded payload fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0 and eval()s the response body at npm...

Advisory
MAL-2026-10444
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in markable-table (npm)
Details
markable-table@3.1.8 declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an identifier reconstructed from a char-code array ([101,118,97,108] = 'eval'), hiding the 'eval' token from plain-text scanners. The decoded payload fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0 and eval()s the response body at npm install time, giving the operator of that endpoint arbitrary code execution on any machine that runs `npm install`. The remote-fetch-and-eval, the obfuscation of both the 'eval' identifier and the destination URL, the non-first-party Vercel host, and the mismatch with the package's advertised markdown-table purpose (and typosquat of the popular 'markdown-table' package) together match the install-time-RCE dropper pattern.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 10.5 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
122* L123: * With [`string-width`](https://github.com/sindresorhus/string-width): L124: * ... L173: const b4 = '[redacted]=' L174: const text = Buffer.from(b4, "base64").toString("utf-8"); L175: let nms = [101, 118, 97, 108]
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

index.jsView on unpkg · L122

Findings

2 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighBase64 Obscured Urlindex.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings