MAL-2026-10638

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/monogrok/MAL-2026-10638.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10638
Aliases
  • GHSA-548c-qh8j-h895
Published
2026-07-15T04:02:35Z
Modified
2026-07-16T23:49:26.730447531Z
Summary
Malicious code in monogrok (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3369fb16804682addfec56904223d0255c2a0ca6d35481e744221e8252f2000d)

Package publishes as a generic 'M!T' library with an unrelated Apache-license README, but the tarball contains an offensive spam / phishing / mailbox-cracking toolkit: SMTP credential brute-force and AWS SES abuse (func/smx/aws.js, func/smx/awssho.js), IMAP/POP3/EWS/MS-OAuth mailbox checkers (func/box/{imap,pop3,ewsv,msap,caut}.js), phishing redirector chain (func/rdt/*), SOCKS/HTTP proxy rotation (func/ipr/*), and bulk-mailer 'zombie' senders (func/snd/mlr/{prxml,zmbvf,zmrml}.js). On load of the main entry oibWljdTg.js, installLicenseGuard() runs and — on integrity check — POSTs os.hostname(), os.userInfo().username, process.cwd(), PID, timestamp, and a bearer token read from ~/.monotomic.token to a hardcoded author endpoint at https://api.mntmc.rip/ibW9B3RlbmF/token/security/tamper. func/box/chrm.js locates the installer's Chrome User Data directory (Windows LOCALAPPDATA\Google\Chrome, macOS ~/Library/Application Support/Google/Chrome, Linux ~/.config/google-chrome), launches puppeteer with --user-data-dir=<profile> + --profile-directory=Default, navigates to Outlook/Gmail URLs, and returns live session cookies (including httpOnly/secure). All 300+ source files are obfuscated with javascript-obfuscator (RC4/base64 rotated string arrays, control-flow flattening) to conceal the above behavior. dependencies['node-ews'] is set to github:oonlyjs/node-ews — an unpinned mutable-branch reference under the same author account, resolved at each install, allowing arbitrary transitive code injection outside npm's tarball. Installing this package places offensive mail-abuse infrastructure on the machine, exfiltrates host identifiers and a stored bearer token to an author-controlled host on load, harvests the installer's browser session cookies, and pulls a mutable third-party dependency at install time.

Source: ghsa-malware (d5c1f66e8c5e2e97b3fc1b3d8819b405e9187fc5fdd2cedc0882e018e2da56bd)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T04:02:35Z",
            "sha256": "3369fb16804682addfec56904223d0255c2a0ca6d35481e744221e8252f2000d",
            "versions": [
                "1.0.30"
            ],
            "import_time": "2026-07-15T04:32:07.293518896Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010615"
        },
        {
            "id": "IN-MAL-2026-010616",
            "sha256": "4bc02d4244e0bcb27af796ba375fd40ca962b33a5c29130cf991becad6c14321",
            "modified_time": "2026-07-15T04:02:45Z",
            "versions": [
                "1.0.33"
            ],
            "source": "amazon-inspector",
            "import_time": "2026-07-15T04:32:07.409885544Z"
        },
        {
            "modified_time": "2026-07-16T23:08:40Z",
            "sha256": "d5c1f66e8c5e2e97b3fc1b3d8819b405e9187fc5fdd2cedc0882e018e2da56bd",
            "import_time": "2026-07-16T23:33:43.713348124Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "ghsa-malware",
            "id": "GHSA-548c-qh8j-h895"
        }
    ]
}
References
Credits

Affected packages

npm / monogrok

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.30
1.0.33

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "evidence_files": [
        {
            "tlsh": "470387c75a9ee00362ce7e63ae1998f7e42d979171c42503623876dde858d02f2e8f74",
            "sha256": "773eba8d08d9d9c2fef566ebb2a1d0e5f2f3db358f3a95a66a7d7f56ea13adef",
            "path": "utils/lgrd.js"
        },
        {
            "tlsh": "d2a2ffc266d9e80352cf8b93be05a5f5ec1aa79136c4350b93787a8d7cac503e760db1",
            "sha256": "78f0b4470d8e0a84dfab8c0e1e03f953b1cc3734f2a349623f7eb0124b2e2cee",
            "path": "oibWljdTg.js"
        },
        {
            "tlsh": "c823f0c36ed8b047658e1ba3af16a5f7e86e97d135c43803533875ad6868907f1a0db0",
            "sha256": "bee173ba2abf8f1aae242f5c990077d517aa0e32777d9a54c0bfaf8f29d9b98f",
            "path": "func/box/chrm.js"
        },
        {
            "tlsh": "94416660cd38de931ac895e8683c129775209c578e18fc0c73925b8c8f4e62f3678e6d",
            "sha256": "a88ff48df65add8149354fc6dd6a3deec5d5f6ae5ade795e4afde6f8c6bb2cf7",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/monogrok/MAL-2026-10638.json"