Malicious package due to data exfiltration via Discord webhook on install. Collects IP, hostname, and date without consent.
No verification record available.
The package react-markdown-canvas version 1007.0.0 contains malicious code in the scripts/after-install.js file. This script is executed automatically after installation via the postinstall script in package.json. The script retrieves the user's IP address, hostname, and current date and sends this information to a Discord webhook. This constitutes data exfiltration without the user's consent or knowledge and is a strong indicator of malicious intent. Multiple YARA rules and LLM-based analysis confirm the presence of a Discord webhook URL, IP address retrieval, data exfiltration, and automatic execution on install.
