I ran Fiddler to profile Mark Text, and the program phones home... and more....
It exports a few basic things [such as your public IP address](https://i.imgur.com/UxyHkbA.png), and then a bunch of encrypted data (cannot decipher). ...then it downloads a packaged Chrome extension app (CR24 format). ...when unzipping that file, you can see [a base64 encoded payload](https://i.imgur.com/5rKwjW0.png) - which expands [to this](https://i.imgur.com/jMbd8st.png), and then an [unencrypted list of websites](https://i.imgur.com/H0twSDk.png), which is very clearly malicious.
To be clear, I downloaded this [directly from Github](https://github.com/marktext/marktext).
Unfortunately, my skills are limited and I cannot find references to the initial malicious URL in the code - though I did discover that you can [search Github code like this...](https://github.com/search?q=in%3Afile+gvt1+repo%3Amarktext%2Fmarktext)
Credit to /u/Phily83 for first [seeing the network activity](https://ibb.co/zbHxbBv).
EDIT: After decompressing http://r4---sn-8xgp1vo-xfgs.gvt1.com/edgedl/release2/chrome_... (linked in the Github issue) and looking at the manifest.json, this is an extension called "Crowd Deny." Reading https://forum.vivaldi.net/topic/43831/crowd-deny-what-is-it/..., it seems to be used as a blacklist to stop push notification spam.
This link/bug report might also be pertinent:
https://bugs.chromium.org/p/chromium/issues/detail?id=755068...