The answer is the same as on How to remove functions _fopen, _sscanf in ios ionic framework - #2 by julio-ionic
Your security testers are not analyzing your app’s code, they are using a security scanner that gets false positives coming from system frameworks (created by Apple) that most apps use.
Not Cordova nor Capacitor use _malloc anywhere.