npm · Malicious package advisory
Malwareclob.api
MAL-2026-4349
Malicious code in clob.api (npm)
Details
A campaign of npm packages sharing a common dropper (`clob.js`) that downloads and persistently installs a Windows executable from IPFS on `postinstall`. The dropper fetches the binary from IPFS CID `bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa` via multiple public gateways (Pinata, Cloudflare, ipfs.io), drops it to `%LOCALAPPDATA%`, registers Windows Registry persistence under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` using a hidden VBScript wrapper (window style 0, no taskbar entry), launches the payload immediately, and reports the victim's public IP address to a hardcoded C2 server via HTTP POST. macOS and Linux stubs are present but not yet configured. Developer artifacts bundled in `config/meta_data.json` leak the attacker's build path: `E:\getting IP and check list\clob-downloader\`.
`clob.api` bundles `clob2.0.exe` (≈4 MB) directly in the package tarball and also attempts to fetch an identical copy from IPFS at install time. Its `postinstall` script runs `clob.js`, which drops the executable to `%LOCALAPPDATA%\clob2.0.exe`. The C2 beacon transmits the victim's public IP to `http://45.8.22.112:2026/api/urls`.
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2788e534ad4bce2154871c16cb6a6f35eed923f96bae6ca4bf041e197c30ed8a)
On install, package.json's postinstall hook runs node clob.js, which (1) downloads clob2.0.exe (Windows) or clob (macOS/Linux) from IPFS gateways including violet-tricky-quelea-562.mypinata.cloud, cloudflare-ipfs.com, ipfs.io, and gateway.pinata.cloud, falling back to a 4 MB clob2.0.exe PE binary bundled directly in the tarball; (2) writes the binary to %LOCALAPPDATA% / ~/.local/bin and launches it hidden via a generated VBS launcher invoked through wscript.exe //nologo with windowsHide:true; (3) installs autorun across all three operating systems — HKCU\Software\Microsoft\Windows\CurrentVersion\Run on Windows, ~/Library/LaunchAgents/com.clob.agent.plist with launchctl load on macOS, and ~/.config/autostart/clob.desktop on Linux; and (4) resolves the installer's public IP via api.ipify.org and POSTs it to a hardcoded bare-IP C2 endpoint at http://45.8.22.112:2026/api/urls?url=<public_ip>. The README is verbatim copied from @img/sharp-win32-x64 to impersonate the legitimate Sharp prebuilt, while package.json's own description ("Downloads clob2.0.exe on install") contradicts the README — this is deliberate camouflage. The bundled PE is undocumented and serves no advertised purpose.
Compromised versions (1)
- 2.73.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.