MAL-2026-10638

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/monogrok/MAL-2026-10638.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10638
Published
2026-07-15T04:02:35Z
Modified
2026-07-15T05:20:04.014041604Z
Summary
Malicious code in monogrok (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3369fb16804682addfec56904223d0255c2a0ca6d35481e744221e8252f2000d)

Package publishes as a generic 'M!T' library with an unrelated Apache-license README, but the tarball contains an offensive spam / phishing / mailbox-cracking toolkit: SMTP credential brute-force and AWS SES abuse (func/smx/aws.js, func/smx/awssho.js), IMAP/POP3/EWS/MS-OAuth mailbox checkers (func/box/{imap,pop3,ewsv,msap,caut}.js), phishing redirector chain (func/rdt/*), SOCKS/HTTP proxy rotation (func/ipr/*), and bulk-mailer 'zombie' senders (func/snd/mlr/{prxml,zmbvf,zmrml}.js). On load of the main entry oibWljdTg.js, installLicenseGuard() runs and — on integrity check — POSTs os.hostname(), os.userInfo().username, process.cwd(), PID, timestamp, and a bearer token read from ~/.monotomic.token to a hardcoded author endpoint at https://api.mntmc.rip/ibW9B3RlbmF/token/security/tamper. func/box/chrm.js locates the installer's Chrome User Data directory (Windows LOCALAPPDATA\Google\Chrome, macOS ~/Library/Application Support/Google/Chrome, Linux ~/.config/google-chrome), launches puppeteer with --user-data-dir=<profile> + --profile-directory=Default, navigates to Outlook/Gmail URLs, and returns live session cookies (including httpOnly/secure). All 300+ source files are obfuscated with javascript-obfuscator (RC4/base64 rotated string arrays, control-flow flattening) to conceal the above behavior. dependencies['node-ews'] is set to github:oonlyjs/node-ews — an unpinned mutable-branch reference under the same author account, resolved at each install, allowing arbitrary transitive code injection outside npm's tarball. Installing this package places offensive mail-abuse infrastructure on the machine, exfiltrates host identifiers and a stored bearer token to an author-controlled host on load, harvests the installer's browser session cookies, and pulls a mutable third-party dependency at install time.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010615",
            "import_time": "2026-07-15T04:32:07.293518896Z",
            "sha256": "3369fb16804682addfec56904223d0255c2a0ca6d35481e744221e8252f2000d",
            "versions": [
                "1.0.30"
            ],
            "modified_time": "2026-07-15T04:02:35Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010616",
            "import_time": "2026-07-15T04:32:07.409885544Z",
            "sha256": "4bc02d4244e0bcb27af796ba375fd40ca962b33a5c29130cf991becad6c14321",
            "versions": [
                "1.0.33"
            ],
            "modified_time": "2026-07-15T04:02:45Z"
        }
    ]
}
References
Credits

Affected packages

npm / monogrok

Package

Affected ranges

Affected versions

1.*
1.0.30
1.0.33

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/monogrok/MAL-2026-10638.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "evidence_files": [
        {
            "path": "utils/lgrd.js",
            "sha256": "773eba8d08d9d9c2fef566ebb2a1d0e5f2f3db358f3a95a66a7d7f56ea13adef",
            "tlsh": "470387c75a9ee00362ce7e63ae1998f7e42d979171c42503623876dde858d02f2e8f74"
        },
        {
            "path": "oibWljdTg.js",
            "sha256": "78f0b4470d8e0a84dfab8c0e1e03f953b1cc3734f2a349623f7eb0124b2e2cee",
            "tlsh": "d2a2ffc266d9e80352cf8b93be05a5f5ec1aa79136c4350b93787a8d7cac503e760db1"
        },
        {
            "path": "func/box/chrm.js",
            "sha256": "bee173ba2abf8f1aae242f5c990077d517aa0e32777d9a54c0bfaf8f29d9b98f",
            "tlsh": "c823f0c36ed8b047658e1ba3af16a5f7e86e97d135c43803533875ad6868907f1a0db0"
        },
        {
            "path": "package.json",
            "sha256": "a88ff48df65add8149354fc6dd6a3deec5d5f6ae5ade795e4afde6f8c6bb2cf7",
            "tlsh": "94416660cd38de931ac895e8683c129775209c578e18fc0c73925b8c8f4e62f3678e6d"
        }
    ]
}