-= Per source details. Do not edit below this line.=-
Package publishes as a generic 'M!T' library with an unrelated Apache-license README, but the tarball contains an offensive spam / phishing / mailbox-cracking toolkit: SMTP credential brute-force and AWS SES abuse (func/smx/aws.js, func/smx/awssho.js), IMAP/POP3/EWS/MS-OAuth mailbox checkers (func/box/{imap,pop3,ewsv,msap,caut}.js), phishing redirector chain (func/rdt/*), SOCKS/HTTP proxy rotation (func/ipr/*), and bulk-mailer 'zombie' senders (func/snd/mlr/{prxml,zmbvf,zmrml}.js). On load of the main entry oibWljdTg.js, installLicenseGuard() runs and — on integrity check — POSTs os.hostname(), os.userInfo().username, process.cwd(), PID, timestamp, and a bearer token read from ~/.monotomic.token to a hardcoded author endpoint at https://api.mntmc.rip/ibW9B3RlbmF/token/security/tamper. func/box/chrm.js locates the installer's Chrome User Data directory (Windows LOCALAPPDATA\Google\Chrome, macOS ~/Library/Application Support/Google/Chrome, Linux ~/.config/google-chrome), launches puppeteer with --user-data-dir=<profile> + --profile-directory=Default, navigates to Outlook/Gmail URLs, and returns live session cookies (including httpOnly/secure). All 300+ source files are obfuscated with javascript-obfuscator (RC4/base64 rotated string arrays, control-flow flattening) to conceal the above behavior. dependencies['node-ews'] is set to github:oonlyjs/node-ews — an unpinned mutable-branch reference under the same author account, resolved at each install, allowing arbitrary transitive code injection outside npm's tarball. Installing this package places offensive mail-abuse infrastructure on the machine, exfiltrates host identifiers and a stored bearer token to an author-controlled host on load, harvests the installer's browser session cookies, and pulls a mutable third-party dependency at install time.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-15T04:02:35Z",
"sha256": "3369fb16804682addfec56904223d0255c2a0ca6d35481e744221e8252f2000d",
"versions": [
"1.0.30"
],
"import_time": "2026-07-15T04:32:07.293518896Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010615"
},
{
"id": "IN-MAL-2026-010616",
"sha256": "4bc02d4244e0bcb27af796ba375fd40ca962b33a5c29130cf991becad6c14321",
"modified_time": "2026-07-15T04:02:45Z",
"versions": [
"1.0.33"
],
"source": "amazon-inspector",
"import_time": "2026-07-15T04:32:07.409885544Z"
},
{
"modified_time": "2026-07-16T23:08:40Z",
"sha256": "d5c1f66e8c5e2e97b3fc1b3d8819b405e9187fc5fdd2cedc0882e018e2da56bd",
"import_time": "2026-07-16T23:33:43.713348124Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "ghsa-malware",
"id": "GHSA-548c-qh8j-h895"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"evidence_files": [
{
"tlsh": "470387c75a9ee00362ce7e63ae1998f7e42d979171c42503623876dde858d02f2e8f74",
"sha256": "773eba8d08d9d9c2fef566ebb2a1d0e5f2f3db358f3a95a66a7d7f56ea13adef",
"path": "utils/lgrd.js"
},
{
"tlsh": "d2a2ffc266d9e80352cf8b93be05a5f5ec1aa79136c4350b93787a8d7cac503e760db1",
"sha256": "78f0b4470d8e0a84dfab8c0e1e03f953b1cc3734f2a349623f7eb0124b2e2cee",
"path": "oibWljdTg.js"
},
{
"tlsh": "c823f0c36ed8b047658e1ba3af16a5f7e86e97d135c43803533875ad6868907f1a0db0",
"sha256": "bee173ba2abf8f1aae242f5c990077d517aa0e32777d9a54c0bfaf8f29d9b98f",
"path": "func/box/chrm.js"
},
{
"tlsh": "94416660cd38de931ac895e8683c129775209c578e18fc0c73925b8c8f4e62f3678e6d",
"sha256": "a88ff48df65add8149354fc6dd6a3deec5d5f6ae5ade795e4afde6f8c6bb2cf7",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/monogrok/MAL-2026-10638.json"