{"id":"MAL-2026-4471","summary":"Malicious code in @zesyn/zeditor (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7c8e293ad2413e2e04b9ce3411d1650381143b104c40bbcb4a17c1140c9ef912)\nThe package advertises itself as a browser rich-text editor, but on every `new Zeditor(...)` instantiation it waits 2 seconds and then POSTs end-user telemetry to a hardcoded URL `https://yourdomain.com/zeditor-api/track.php` (via `navigator.sendBeacon` with a `fetch` POST fallback). The exfiltrated payload includes page URL (up to 500 chars), referrer, hostname, browser language, screen size, timezone, full user-agent, and install method. The destination is the unconfigured placeholder string `yourdomain.com` — a real third-party domain not owned by the package's publisher (`zesyn.com`). Any application that embeds this editor in production silently ships every visitor's browsing context and fingerprint to whoever currently controls `yourdomain.com`. Code locations: `dist/zeditor.es.js` defines `const T = \"https://yourdomain.com/zeditor-api/track.php\"` and calls `navigator.sendBeacon(T, l)` / `fetch(T, { method: \"POST\", body: JSON.stringify(a) })` from `init()` via `setTimeout(() =\u003e Y(), 2e3)`; equivalent code is present in the IIFE and UMD bundles.\n","modified":"2026-05-27T00:32:11.660666548Z","published":"2026-05-20T07:19:54Z","withdrawn":"2026-05-26T21:41:23Z","database_specific":{"malicious-packages-origins":[{"sha256":"7c8e293ad2413e2e04b9ce3411d1650381143b104c40bbcb4a17c1140c9ef912","versions":["1.0.3"],"import_time":"2026-05-26T05:50:43.598298558Z","id":"IN-MAL-2026-003483","modified_time":"2026-05-20T07:19:54Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@zesyn/zeditor/v/1.0.3"}],"affected":[{"package":{"name":"@zesyn/zeditor","ecosystem":"npm","purl":"pkg:npm/%40zesyn%2Fzeditor"},"versions":["1.0.3"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"c7cfb85bb124b3e3dcdaed565f87d9a0d58414d976cb27745be0dece4c3a7524","path":"dist/zeditor.es.js","tlsh":"e893a233a2f92937b123c0aeea5b8655b621704bb545c9087d9c79a80fcdc6443f3bb5"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-IkpXGCwqrPhziP0AEpJJji7q5lVrmTnm6g5jiCV2feVjnRwaI0FDmjybpcgY1XPYy68Qj3nbk5uHanDTirqMJA==","sha1":"a270db1b0452aa038681a5c6a361a7280e708670"},"filename":"zeditor-1.0.3.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@zesyn/zeditor/MAL-2026-4471.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}