npm · Malicious package advisory
Malwareclobprice.api
MAL-2026-4350
Malicious code in clobprice.api (npm)
Details
A campaign of npm packages sharing a common dropper (`clob.js`) that downloads and persistently installs a Windows executable from IPFS on `postinstall`. The dropper fetches the binary from IPFS CID `bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa` via multiple public gateways (Pinata, Cloudflare, ipfs.io), drops it to `%LOCALAPPDATA%`, registers Windows Registry persistence under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` using a hidden VBScript wrapper (window style 0, no taskbar entry), launches the payload immediately, and reports the victim's public IP address to a hardcoded C2 server via HTTP POST. macOS and Linux stubs are present but not yet configured. Developer artifacts bundled in `config/meta_data.json` leak the attacker's build path: `E:\getting IP and check list\clob-downloader\`. `clobprice.api` bundles `windows defender host.exe` (≈4 MB) directly in the package tarball and also attempts to fetch an identical copy from IPFS at install time. Its `postinstall` script runs `clob.js`, which drops the executable to `%LOCALAPPDATA%\windows defender host.exe`. The C2 beacon transmits the victim's public IP to `http://45.8.22.112:2026/api/urls`. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c4ebda12a1fdf81e5621aa5e045e6286238df134c83d896dd177c60abbedf7d0) package.json declares `postinstall: node clob.js` and the package's own description states 'Downloads clob2.0.exe on install'. On install, clob.js downloads a Windows PE from anonymous IPFS gateways (violet-tricky-quelea-562.mypinata.cloud, cloudflare-ipfs.com, gateway.pinata.cloud, ipfs.io; CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa) without any hash or signature verification, writes it to %LOCALAPPDATA% as 'windows defender host.exe' to impersonate a Microsoft component, and silently launches it hidden via a VBS launcher invoked through `wscript //nologo` with window style 0. A 4,035,072-byte file literally named 'windows defender host.exe' (sha256 300a7dea05c2a588757010ad314fa55cb8ef3acebaa284f58a5cd0fd39bce478) is also bundled in the tarball root as a fallback payload. Persistence is established on every supported platform: Windows registers the launcher under HKCU\Software\Microsoft\Windows\CurrentVersion\Run as 'clob'; macOS loads `~/Library/LaunchAgents/com.clob.agent.plist` via launchctl; Linux writes `~/.config/autostart/clob.desktop`. After dropping the binary, the script resolves the installer's public IP via api.ipify.org and POSTs it over plain HTTP to the hardcoded bare IP 45.8.22.112:2026 at `/api/urls?url=<ip>:80`, performing victim check-in to the operator. The result is full, persistent host compromise of any machine that runs `npm install clobprice.api`.
Compromised versions (3)
- 2.73.2
- 2.73.1
- 2.73.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.