-= Per source details. Do not edit below this line.=-
Package publishes as a generic 'M!T' library with an unrelated Apache-license README, but the tarball contains an offensive spam / phishing / mailbox-cracking toolkit: SMTP credential brute-force and AWS SES abuse (func/smx/aws.js, func/smx/awssho.js), IMAP/POP3/EWS/MS-OAuth mailbox checkers (func/box/{imap,pop3,ewsv,msap,caut}.js), phishing redirector chain (func/rdt/*), SOCKS/HTTP proxy rotation (func/ipr/*), and bulk-mailer 'zombie' senders (func/snd/mlr/{prxml,zmbvf,zmrml}.js). On load of the main entry oibWljdTg.js, installLicenseGuard() runs and — on integrity check — POSTs os.hostname(), os.userInfo().username, process.cwd(), PID, timestamp, and a bearer token read from ~/.monotomic.token to a hardcoded author endpoint at https://api.mntmc.rip/ibW9B3RlbmF/token/security/tamper. func/box/chrm.js locates the installer's Chrome User Data directory (Windows LOCALAPPDATA\Google\Chrome, macOS ~/Library/Application Support/Google/Chrome, Linux ~/.config/google-chrome), launches puppeteer with --user-data-dir=<profile> + --profile-directory=Default, navigates to Outlook/Gmail URLs, and returns live session cookies (including httpOnly/secure). All 300+ source files are obfuscated with javascript-obfuscator (RC4/base64 rotated string arrays, control-flow flattening) to conceal the above behavior. dependencies['node-ews'] is set to github:oonlyjs/node-ews — an unpinned mutable-branch reference under the same author account, resolved at each install, allowing arbitrary transitive code injection outside npm's tarball. Installing this package places offensive mail-abuse infrastructure on the machine, exfiltrates host identifiers and a stored bearer token to an author-controlled host on load, harvests the installer's browser session cookies, and pulls a mutable third-party dependency at install time.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010615",
"import_time": "2026-07-15T04:32:07.293518896Z",
"sha256": "3369fb16804682addfec56904223d0255c2a0ca6d35481e744221e8252f2000d",
"versions": [
"1.0.30"
],
"modified_time": "2026-07-15T04:02:35Z"
},
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010616",
"import_time": "2026-07-15T04:32:07.409885544Z",
"sha256": "4bc02d4244e0bcb27af796ba375fd40ca962b33a5c29130cf991becad6c14321",
"versions": [
"1.0.33"
],
"modified_time": "2026-07-15T04:02:45Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/monogrok/MAL-2026-10638.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"evidence_files": [
{
"path": "utils/lgrd.js",
"sha256": "773eba8d08d9d9c2fef566ebb2a1d0e5f2f3db358f3a95a66a7d7f56ea13adef",
"tlsh": "470387c75a9ee00362ce7e63ae1998f7e42d979171c42503623876dde858d02f2e8f74"
},
{
"path": "oibWljdTg.js",
"sha256": "78f0b4470d8e0a84dfab8c0e1e03f953b1cc3734f2a349623f7eb0124b2e2cee",
"tlsh": "d2a2ffc266d9e80352cf8b93be05a5f5ec1aa79136c4350b93787a8d7cac503e760db1"
},
{
"path": "func/box/chrm.js",
"sha256": "bee173ba2abf8f1aae242f5c990077d517aa0e32777d9a54c0bfaf8f29d9b98f",
"tlsh": "c823f0c36ed8b047658e1ba3af16a5f7e86e97d135c43803533875ad6868907f1a0db0"
},
{
"path": "package.json",
"sha256": "a88ff48df65add8149354fc6dd6a3deec5d5f6ae5ade795e4afde6f8c6bb2cf7",
"tlsh": "94416660cd38de931ac895e8683c129775209c578e18fc0c73925b8c8f4e62f3678e6d"
}
]
}