-= Per source details. Do not edit below this line.=-
The DocumentEditor React component exported by this package, when an end-user opens a.doc file, POSTs the raw file bytes to https://converter-apis.vercel.app/api/convert — a generic Vercel-hosted endpoint that is not OnlyOffice and is not disclosed in the package's README or API documentation. The README advertises a self-hosted OnlyOffice/X2T integration (X2T conversion runs locally in WASM), so integrators reasonably expect document content to stay on their own infrastructure. The.doc handling path in dist/index.cjs:565 (fetch("https://converter-apis.vercel.app/api/convert", { method: "POST", body: new Blob([arrayBuffer], { type: "application/msword" }) })) silently relays end-user document bytes to the package author's chosen third-party endpoint with no consent UI, no documentation, and no configuration option to disable or redirect the upload. The destination is a generic free-tier Vercel hostname rather than an OnlyOffice domain, breaking the trust expectation of the advertised self-hosted editor. The postinstall script that copies static assets into the host project's public/ directory, and the child_process/fetch references inside the bundled X2T WASM toolchain, are documented and purpose-matched (X2T is the OnlyOffice document conversion tool); those are not the basis for the verdict.
{
"malicious-packages-origins": [
{
"versions": [
"0.1.6"
],
"sha256": "300b0fa8657f3531b6990a1427fbf9883f27a012eb91ca6f515bda5c6695c63a",
"source": "amazon-inspector",
"modified_time": "2026-05-22T06:30:59Z",
"id": "IN-MAL-2026-004154",
"import_time": "2026-05-26T05:52:02.43010972Z"
},
{
"versions": [
"0.1.1"
],
"sha256": "4dea118c9eb477ec5d4842309ad2d353632ef1b4bd7ceceabbee936c94ea19f1",
"modified_time": "2026-05-22T03:57:37Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-004132",
"import_time": "2026-05-26T05:51:59.95788369Z"
},
{
"versions": [
"0.1.3"
],
"sha256": "7c82ee7b879d66ba2fb79ec7ad7fee47623c2c3b68c8a925510b1f42cd1e3456",
"source": "amazon-inspector",
"modified_time": "2026-05-22T06:11:58Z",
"id": "IN-MAL-2026-004140",
"import_time": "2026-05-26T05:52:00.882790959Z"
},
{
"versions": [
"0.1.8"
],
"sha256": "9b4dff3f17804b520a1421d5ecca176d481a65930e32a46c1b1da4bb21194d06",
"modified_time": "2026-05-22T08:53:55Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-004174",
"import_time": "2026-05-26T05:52:04.853595431Z"
},
{
"versions": [
"0.1.5"
],
"sha256": "b74b26220c2074eb335eba78c232af51f0eaf60f48c97056c4a47940cedd84c2",
"modified_time": "2026-05-22T06:12:08Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-004141",
"import_time": "2026-05-26T05:52:00.980238332Z"
},
{
"versions": [
"0.1.4"
],
"sha256": "e5dc5175de5b1daead3a42da4e20d7297d2de0fb4864870d8a06011ff4271d05",
"source": "amazon-inspector",
"modified_time": "2026-05-22T06:17:06Z",
"id": "IN-MAL-2026-004148",
"import_time": "2026-05-26T05:52:01.771400206Z"
}
]
}{
"package_integrity": [
{
"filename": "acc-document-editing-0.1.6.tgz",
"hashes": {
"sha512_sri": "sha512-9Pw0Pwy36wEPwwMO2ZJtgz8Z/WL14JsWXd+G+LbCnpYSHGrsNXYC4QPxTZMnqF5UuArtzTZkzISNgDxeGhMeRg==",
"sha1": "50a23de4337b743570d3724ba104e6485ac8a952"
}
}
],
"evidence_files": [
{
"sha256": "85770fdf802e36eb2ea61cfa774cbe37c6b1cb259e581050aab63ff036f778ef",
"path": "dist/index.js",
"tlsh": "4cb3eff60716bce54e3a2c40a50938441de93c1f6768c5acfe8c41e1bbd6552ef6acb8"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/acc-document-editing/MAL-2026-4474.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]