VYPR
Vypr IntelligenceAI-generatedJul 13, 2026

npm: 12 Malicious Packages, Including 'markable-table' Typosquats, Disclosed in 23-Minute Drop

On July 13, 2026, 12 malicious packages were disclosed on npm within a 23-minute window, featuring several typosquats targeting 'markable-table' related functionality and a high-download package `@oliviamcdaniel12/safer-buffer`.

Key findings

  • 12 malicious npm packages were disclosed on July 13, 2026.
  • All advisories were published within a tight 23-minute window.
  • A cluster of packages impersonated 'markable-table' functionality, published and disclosed on the same day.
  • @oliviamcdaniel12/safer-buffer accumulated 801k weekly downloads in just four days.
  • Specific behavioral findings or severity excerpts were not provided for these packages.

On July 13, 2026, 12 malicious packages were disclosed on the npm registry within a tight 23-minute window, indicating a coordinated takedown effort. All advisories were published between 13:59 UTC and 14:22 UTC, revealing a mix of newly published typosquats and potentially compromised packages. A notable cluster of these packages appears to target 'markable-table' related functionality, while one package, @oliviamcdaniel12/safer-buffer, stood out with a significant 801k weekly downloads despite being first published just four days prior on July 10, 2026. Several other packages, including gifuct, markdown-editable-table, react-markable-table, remarkable-table, markable-table, and home-sections-web-ui, were all first published on the same day as their disclosure, suggesting they were fresh malicious implants designed for rapid deployment.

While no single overarching naming pattern was explicitly identified across the entire burst, a clear family of packages emerged, seemingly designed to impersonate or typosquat around 'markable-table' functionality. This includes markdown-editable-table (affected versions 2.4.3, 2.4.4, 2.4.2), react-markable-table (version 2.4.10), remarkable-table (version 2.4.11), and markable-table (multiple versions like 3.1.2 through 3.1.8). The rapid publication and subsequent disclosure of these similarly named packages within hours of their initial release strongly suggest a coordinated attempt to leverage common development patterns or exploit typos related to table rendering libraries. Other packages in this burst, such as router-processor, font-hub, @sqlite-group/schema-generator, auth-gen-next, and node-procmetrics, appear to be more ad-hoc, potentially representing a broader, less targeted malicious effort or individual typosquatting attempts that landed in the same takedown window.

Specific behavioral findings or severity excerpts from OpenSSF Package Analysis or GHSA advisories were not provided for this particular burst. However, malicious packages commonly engage in a range of harmful activities. These typically include credential harvesting, where sensitive user data, API keys, or environment variables are exfiltrated; installing backdoors for persistent access; establishing command-and-control (C2) communication with external servers; or injecting malicious code into build processes. The absence of detailed behavioral reports means the exact nature of the threat posed by these specific packages remains unconfirmed, but the general risks associated with such compromises are severe.

Given the nature of malicious package disclosures, any installation of the affected versions should be treated as a full system compromise. Developers and organizations who may have inadvertently installed any of these packages should consider their development environments or deployed systems to be compromised. This necessitates immediate and thorough remediation steps, including a complete rotation of all sensitive credentials, API keys, and tokens. This critical step should ideally be performed from a separate, trusted machine to prevent further compromise. Additionally, a comprehensive audit for any unauthorized system modifications, persistent access mechanisms, or data exfiltration attempts is strongly recommended.

To mitigate potential risks, developers are strongly advised to immediately audit their project's dependency lock files, such as package-lock.json or yarn.lock, for the presence of any of the disclosed malicious packages. If any of these packages are found, they should be promptly removed, and all associated credentials, including npm tokens, API keys, and any other sensitive information, should be rotated. Organizations should also review their npm token logs for any suspicious publish activity that might indicate a compromised maintainer account or automated malicious uploads. The full list of disclosed packages in this burst includes:

router-processor font-hub @sqlite-group/schema-generator gifuct auth-gen-next markdown-editable-table @oliviamcdaniel12/safer-buffer react-markable-table remarkable-table markable-table home-sections-web-ui node-procmetrics

This coordinated disclosure on npm underscores the persistent and evolving threat landscape within software supply chains. The combination of newly introduced typosquats, some with rapid download accumulation, and a targeted family of impersonation packages highlights the varied and agile tactics employed by attackers. Maintaining robust dependency hygiene, exercising caution with new or unfamiliar packages, and staying informed about security advisories are paramount for developers and organizations striving to protect their software projects from such compromises.

AI-written article. Grounded in 0 CVE records listed below.