I was invited to submit a proposal for a project yesterday and the client contacted me shortly after that. Initially everything went well, a contract was created and I was requested to review the codebase on the client's Github repository. 

This is where things started to look strange - the code in the repository had nothing to do with what we discussed previously. It contained files encoded in base64 without any obvious reason. The client kept insisting that I need to "setup the project on my computer"

When I asked the client about the strange code they told me that a friend gave them the code. 

Finally I decided to give it a try and ran did the setup process (in a virtual machine). Unsurprisingly the "code" tried to collect data from the system, mainly browser log files, cookies, possibly passwords and send them to a server somewhere.

I have been working here for years now and I never reported anyone but I think this time I should do it.

So I wanted to ask if I need to submit a support ticket for this or simply posting here will be sufficient?