MAL-2025-6214

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ecinc-cloud-moaxmpp/MAL-2025-6214.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-6214
Published
2025-07-15T09:15:00Z
Modified
2026-07-08T23:01:49.042384432Z
Summary
Malicious code in ecinc-cloud-moaxmpp (npm)
Details

Package exhibits multiple malicious behaviors: Office doc access/encryption, DB interaction, local storage clearing, arbitrary code execution, /dev/shm ref. The code includes a native bridge that allows it to execute arbitrary SQL queries on a mobile device’s database when used within a specific mobile application context. The ecmoaxmpp.umd.js file revealed a highly suspicious pattern. The code includes a function that checks if window.mappType is not equal to 'web'. When this condition is met, it proceeds to call window.$wv.databaseHandle, a function that acts as a bridge to a native mobile application. The methods invoked through this bridge include 'execute', 'rawQuery', 'rawInsert', 'rawUpdate', and 'rawDelete', all of which indicate direct, raw access to a mobile device’s database.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (278b09ddb42295dff2bd8c843131f7f3c9d4d793bb42dd797adbc9c6c825a656)

The package was found to contain malicious code or consuming dependency that contains malicious code

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "9.7.1"
            ],
            "id": "IN-MAL-2026-008488",
            "import_time": "2026-07-08T20:32:35.213396864Z",
            "sha256": "278b09ddb42295dff2bd8c843131f7f3c9d4d793bb42dd797adbc9c6c825a656",
            "modified_time": "2026-07-08T20:18:11Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "9.7.2"
            ],
            "id": "IN-MAL-2026-008837",
            "import_time": "2026-07-08T22:51:26.196843688Z",
            "modified_time": "2026-07-08T22:40:22Z",
            "sha256": "dce264b001af9019523477894adeb53df87d97c9235ecee1c58d7defd411ce42",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / ecinc-cloud-moaxmpp

Package

Name
ecinc-cloud-moaxmpp
View open source insights on deps.dev
Purl
pkg:npm/ecinc-cloud-moaxmpp

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.7.1
9.7.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "ecinc-cloud-moaxmpp-9.7.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-rE4XCyLPGHgVhMoTsgr7al/LUr+nsAcImUJe+EwxZS1aUlXyRmdgJhGacWAsfKNtgb5KQne79ARomJpOWJMx8w==",
                "sha1": "ca7372705eb2a461b90262364397f7226a439dc7"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ecinc-cloud-moaxmpp/MAL-2025-6214.json"