monogrok @1.0.33
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC
OSV ID
MAL-2026-10638
Ecosystem
npm
Summary
Package publishes as a generic 'M!T' library with an unrelated Apache-license README, but the tarball contains an offensive spam / phishing / mailbox-cracking toolkit: SMTP credential brute-force and AWS SES abuse ( func/smx/aws.js , func/smx/awssho.js ), IMAP/POP3/EWS/MS-OAuth mailbox checkers ( func/box/{imap,pop3,ewsv,msap,caut}.js ), phishing redirector chain ( func/rdt/* ), SOCKS/HTTP proxy rotation ( func/ipr/* ), and bulk-mailer 'zombie' senders ( func/snd/mlr/{prxml,zmbvf,zmrml}.js ). On load of the main entry oibWljdTg.js , installLicenseGuard() runs and — on integrity check — POSTs os.hostname() , os.userInfo().username , process.cwd() , PID, timestamp, and a bearer token read from ~/.monotomic.token to a hardcoded author endpoint at https://api.mntmc.rip/ibW9B3RlbmF/token/security/tamper . func/box/chrm.js locates the installer's Chrome User Data directory (Windows LOCALAPPDATA\Google\Chrome , macOS ~/Library/Application Support/Google/Chrome , Linux ~/.config/google-chrome ), launches puppeteer with --user-data-dir=<profile> + --profile-directory=Default , navigates to Outlook/Gmail URLs, and returns live session cookies (including httpOnly/secure). All 300+ source files are obfuscated with javascript-obfuscator (RC4/base64 rotated string arrays, control-flow flattening) to conceal the above behavior. dependencies['node-ews'] is set to github:oonlyjs/node-ews — an unpinned mutable-branch reference under the same author account, resolved at each install, allowing arbitrary transitive code injection outside npm's tarball. Installing this package places offensive mail-abuse infrastructure on the machine, exfiltrates host identifiers and a stored bearer token to an author-controlled host on load, harvests the installer's browser session cookies, and pulls a mutable third-party dependency at install time.
Source: amazon-inspector (3369fb16804682addfec56904223d0255c2a0ca6d35481e744221e8252f2000d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.