VDB
KO

MAL-2026-10638

Malicious code in monogrok (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3369fb16804682addfec56904223d0255c2a0ca6d35481e744221e8252f2000d) Package publishes as a generic 'M!T' library with an unrelated Apache-license README, but the tarball contains an offensive spam / phishing / mailbox-cracking toolkit: SMTP credential brute-force and AWS SES abuse (`func/smx/aws.js`, `func/smx/awssho.js`), IMAP/POP3/EWS/MS-OAuth mailbox checkers (`func/box/{imap,pop3,ewsv,msap,caut}.js`), phishing redirector chain (`func/rdt/*`), SOCKS/HTTP proxy rotation (`func/ipr/*`), and bulk-mailer 'zombie' senders (`func/snd/mlr/{prxml,zmbvf,zmrml}.js`). On load of the main entry `oibWljdTg.js`, `installLicenseGuard()` runs and — on integrity check — POSTs `os.hostname()`, `os.userInfo().username`, `process.cwd()`, PID, timestamp, and a bearer token read from `~/.monotomic.token` to a hardcoded author endpoint at `https://api.mntmc.rip/ibW9B3RlbmF/token/security/tamper`. `func/box/chrm.js` locates the installer's Chrome `User Data` directory (Windows `LOCALAPPDATA\Google\Chrome`, macOS `~/Library/Application Support/Google/Chrome`, Linux `~/.config/google-chrome`), launches puppeteer with `--user-data-dir=<profile>` + `--profile-directory=Default`, navigates to Outlook/Gmail URLs, and returns live session cookies (including httpOnly/secure). All 300+ source files are obfuscated with javascript-obfuscator (RC4/base64 rotated string arrays, control-flow flattening) to conceal the above behavior. `dependencies['node-ews']` is set to `github:oonlyjs/node-ews` — an unpinned mutable-branch reference under the same author account, resolved at each install, allowing arbitrary transitive code injection outside npm's tarball. Installing this package places offensive mail-abuse infrastructure on the machine, exfiltrates host identifiers and a stored bearer token to an author-controlled host on load, harvests the installer's browser session cookies, and pulls a mutable third-party dependency at install time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / monogrok

No fixed version published yet for monogrok (npm). Pin to a known-safe version or switch to an alternative.

References