OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10638 confirms this npm version as malicious. Package publishes as a generic 'M!T' library with an unrelated Apache-license README, but the tarball contains an offensive spam / phishing / mailbox-cracking toolkit: SMTP credential brute-force and AWS SES abuse (`func/smx/aws.js`, `func/smx/awssho.js`), IMAP/POP3/EWS/MS-OAuth mailbox checkers (`func/box/{imap,pop3,ewsv,msap,caut}.js`), phishing redirector chain (`func/rdt/*`), SOCKS/HTTP proxy rotation...
Advisory
MAL-2026-10638
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in monogrok (npm)
Details
Package publishes as a generic 'M!T' library with an unrelated Apache-license README, but the tarball contains an offensive spam / phishing / mailbox-cracking toolkit: SMTP credential brute-force and AWS SES abuse (`func/smx/aws.js`, `func/smx/awssho.js`), IMAP/POP3/EWS/MS-OAuth mailbox checkers (`func/box/{imap,pop3,ewsv,msap,caut}.js`), phishing redirector chain (`func/rdt/*`), SOCKS/HTTP proxy rotation (`func/ipr/*`), and bulk-mailer 'zombie' senders (`func/snd/mlr/{prxml,zmbvf,zmrml}.js`). On load of the main entry `oibWljdTg.js`, `installLicenseGuard()` runs and — on integrity check — POSTs `os.hostname()`, `os.userInfo().username`, `process.cwd()`, PID, timestamp, and a bearer token read from `~/.monotomic.token` to a hardcoded author endpoint at `https://api.mntmc.rip/ibW9B3RlbmF/token/security/tamper`. `func/box/chrm.js` locates the installer's Chrome `User Data` directory (Windows `LOCALAPPDATA\Google\Chrome`, macOS `~/Library/Application Support/Google/Chrome`, Linux `~/.config/google-chrome`), launches puppeteer with `--user-data-dir=<profile>` + `--profile-directory=Default`, navigates to Outlook/Gmail URLs, and returns live session cookies (including httpOnly/secure). All 300+ source files are obfuscated with javascript-obfuscator (RC4/base64 rotated string arrays, control-flow flattening) to conceal the above behavior. `dependencies['node-ews']` is set to `github:oonlyjs/node-ews` — an unpinned mutable-branch reference under the same author account, resolved at each install, allowing arbitrary transitive code injection outside npm's tarball. Installing this package places offensive mail-abuse infrastructure on the machine, exfiltrates host identifiers and a stored bearer token to an author-controlled host on load, harvests the installer's browser session cookies, and pulls a mutable third-party dependency at install time.
Decision reason
OpenSSF Malicious Packages via OSV confirms monogrok@1.0.30 as malicious (MAL-2026-10638): Malicious code in monogrok (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory