The package is marked as malware by OSV: MAL-2026-1040 with source: ossf-package-analysis

Note: This report is updated by a verification record

The package react-markdown-canvas version 1007.0.0 contains malicious code in the scripts/after-install.js file. This script is executed automatically after installation via the postinstall script in package.json. The script retrieves the user's IP address, hostname, and current date and sends this information to a Discord webhook. This constitutes data exfiltration without the user's consent or knowledge and is a strong indicator of malicious intent. Multiple YARA rules and LLM-based analysis confirm the presence of a Discord webhook URL, IP address retrieval, data exfiltration, and automatic execution on install.