MAL-2025-6214

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ecinc-cloud-moaxmpp/MAL-2025-6214.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-6214

Published

2025-07-15T09:15:00Z

Modified

2025-07-15T09:15:00Z

Summary

Malicious code in ecinc-cloud-moaxmpp (npm)

Details

Package exhibits multiple malicious behaviors: Office doc access/encryption, DB interaction, local storage clearing, arbitrary code execution, /dev/shm ref. The code includes a native bridge that allows it to execute arbitrary SQL queries on a mobile device’s database when used within a specific mobile application context. The ecmoaxmpp.umd.js file revealed a highly suspicious pattern. The code includes a function that checks if window.mappType is not equal to 'web'. When this condition is met, it proceeds to call window.$wv.databaseHandle, a function that acts as a bridge to a native mobile application. The methods invoked through this bridge include 'execute', 'rawQuery', 'rawInsert', 'rawUpdate', and 'rawDelete', all of which indicate direct, raw access to a mobile device’s database.

Database specific

{
    "malicious-packages-origins": null
}

References

https://platform.safedep.io/community/malysis/01K01T6C4JN4Q19HD1PAB151RZ

Credits

- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / ecinc-cloud-moaxmpp

Package

Name: ecinc-cloud-moaxmpp; View open source insights on deps.dev
Purl: pkg:npm/ecinc-cloud-moaxmpp

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ecinc-cloud-moaxmpp/MAL-2025-6214.json"