MAL-2026-4471

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@zesyn/zeditor/MAL-2026-4471.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4471
Withdrawn
2026-05-26T21:41:23Z
Published
2026-05-20T07:19:54Z
Modified
2026-05-27T00:32:11.660666548Z
Summary
Malicious code in @zesyn/zeditor (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7c8e293ad2413e2e04b9ce3411d1650381143b104c40bbcb4a17c1140c9ef912)

The package advertises itself as a browser rich-text editor, but on every new Zeditor(...) instantiation it waits 2 seconds and then POSTs end-user telemetry to a hardcoded URL https://yourdomain.com/zeditor-api/track.php (via navigator.sendBeacon with a fetch POST fallback). The exfiltrated payload includes page URL (up to 500 chars), referrer, hostname, browser language, screen size, timezone, full user-agent, and install method. The destination is the unconfigured placeholder string yourdomain.com — a real third-party domain not owned by the package's publisher (zesyn.com). Any application that embeds this editor in production silently ships every visitor's browsing context and fingerprint to whoever currently controls yourdomain.com. Code locations: dist/zeditor.es.js defines const T = "https://yourdomain.com/zeditor-api/track.php" and calls navigator.sendBeacon(T, l) / fetch(T, { method: "POST", body: JSON.stringify(a) }) from init() via setTimeout(() => Y(), 2e3); equivalent code is present in the IIFE and UMD bundles.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "7c8e293ad2413e2e04b9ce3411d1650381143b104c40bbcb4a17c1140c9ef912",
            "modified_time": "2026-05-20T07:19:54Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003483",
            "import_time": "2026-05-26T05:50:43.598298558Z"
        }
    ]
}
References
Credits

Affected packages

npm / @zesyn/zeditor

Package

Name
@zesyn/zeditor
View open source insights on deps.dev
Purl
pkg:npm/%40zesyn%2Fzeditor

Affected ranges

Affected versions

1.*
1.0.3

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "zeditor-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-IkpXGCwqrPhziP0AEpJJji7q5lVrmTnm6g5jiCV2feVjnRwaI0FDmjybpcgY1XPYy68Qj3nbk5uHanDTirqMJA==",
                "sha1": "a270db1b0452aa038681a5c6a361a7280e708670"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "c7cfb85bb124b3e3dcdaed565f87d9a0d58414d976cb27745be0dece4c3a7524",
            "path": "dist/zeditor.es.js",
            "tlsh": "e893a233a2f92937b123c0aeea5b8655b621704bb545c9087d9c79a80fcdc6443f3bb5"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@zesyn/zeditor/MAL-2026-4471.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]