Package exhibits multiple malicious behaviors: Office doc access/encryption, DB interaction, local storage clearing, arbitrary code execution, /dev/shm ref. The code includes a native bridge that allows it to execute arbitrary SQL queries on a mobile device’s database when used within a specific mobile application context. The ecmoaxmpp.umd.js file revealed a highly suspicious pattern. The code includes a function that checks if window.mappType is not equal to 'web'. When this condition is met, it proceeds to call window.$wv.databaseHandle, a function that acts as a bridge to a native mobile application. The methods invoked through this bridge include 'execute', 'rawQuery', 'rawInsert', 'rawUpdate', and 'rawDelete', all of which indicate direct, raw access to a mobile device’s database.
-= Per source details. Do not edit below this line.=-
The package was found to contain malicious code or consuming dependency that contains malicious code
{
"malicious-packages-origins": [
{
"versions": [
"9.7.1"
],
"id": "IN-MAL-2026-008488",
"import_time": "2026-07-08T20:32:35.213396864Z",
"sha256": "278b09ddb42295dff2bd8c843131f7f3c9d4d793bb42dd797adbc9c6c825a656",
"modified_time": "2026-07-08T20:18:11Z",
"source": "amazon-inspector"
},
{
"versions": [
"9.7.2"
],
"id": "IN-MAL-2026-008837",
"import_time": "2026-07-08T22:51:26.196843688Z",
"modified_time": "2026-07-08T22:40:22Z",
"sha256": "dce264b001af9019523477894adeb53df87d97c9235ecee1c58d7defd411ce42",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "ecinc-cloud-moaxmpp-9.7.1.tgz",
"hashes": {
"sha512_sri": "sha512-rE4XCyLPGHgVhMoTsgr7al/LUr+nsAcImUJe+EwxZS1aUlXyRmdgJhGacWAsfKNtgb5KQne79ARomJpOWJMx8w==",
"sha1": "ca7372705eb2a461b90262364397f7226a439dc7"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ecinc-cloud-moaxmpp/MAL-2025-6214.json"