MAL-2026-1040

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-markdown-canvas/MAL-2026-1040.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-1040

Published

2026-02-23T22:01:02Z

Modified

2026-03-04T00:34:07.051713Z

Summary

Malicious code in react-markdown-canvas (npm)

Details

Malicious package due to data exfiltration via Discord webhook on install. Collects IP, hostname, and date without consent.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4123db6526d8c37f99fa33e2524edc97922efef6b1605dc0a8acdbf41e76cc77)

The package react-markdown-canvas was found to contain malicious code.

Source: ossf-package-analysis (833c2865c0a6f984f9af493aa02b5ec03e8a63f037c298a46ae54bb1d88d3a1a)

The OpenSSF Package Analysis project identified 'react-markdown-canvas' @ 1001.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-02-23T22:01:02Z",
            "versions": [
                "1001.0.0"
            ],
            "sha256": "833c2865c0a6f984f9af493aa02b5ec03e8a63f037c298a46ae54bb1d88d3a1a",
            "source": "ossf-package-analysis",
            "import_time": "2026-02-26T01:37:59.158937835Z"
        },
        {
            "modified_time": "2026-02-23T22:11:01Z",
            "versions": [
                "1005.0.0"
            ],
            "sha256": "eebf5582865e2a81a8d7e00e967725e011a5317109ff891b5b281df547349c63",
            "source": "ossf-package-analysis",
            "import_time": "2026-02-26T01:37:59.331038983Z"
        },
        {
            "modified_time": "2026-03-01T20:25:57Z",
            "versions": [
                "1001.0.0",
                "1005.0.0"
            ],
            "sha256": "4123db6526d8c37f99fa33e2524edc97922efef6b1605dc0a8acdbf41e76cc77",
            "source": "amazon-inspector",
            "import_time": "2026-03-01T20:41:57.339201726Z"
        }
    ]
}

References

https://app.safedep.io/community/malysis/01KJ69FH2YT5GPF37JYK3T87DN

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / react-markdown-canvas

Package

Name: react-markdown-canvas; View open source insights on deps.dev
Purl: pkg:npm/react-markdown-canvas

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1001.*

1001.0.0

1005.*

1005.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-markdown-canvas/MAL-2026-1040.json"