A campaign of npm packages sharing a common dropper (clob.js) that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways (Pinata, Cloudflare, ipfs.io), drops it to %LOCALAPPDATA%, registers Windows Registry persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run using a hidden VBScript wrapper (window style 0, no taskbar entry), launches the payload immediately, and reports the victim's public IP address to a hardcoded C2 server via HTTP POST. macOS and Linux stubs are present but not yet configured. Developer artifacts bundled in config/meta_data.json leak the attacker's build path: E:\getting IP and check list\clob-downloader\.
api-rs-node masquerades as a high-performance Rust-native Node.js module. Its postinstall script runs clob.js, which downloads windows defender host.exe from IPFS and drops it to %LOCALAPPDATA%\windows defender host.exe to blend in with legitimate Windows Defender processes. The C2 beacon transmits the victim's public IP to http://170.205.31.203:2026/api/urls. No executable is bundled in the tarball; the payload is fetched entirely from IPFS at install time.
-= Per source details. Do not edit below this line.=-
The package advertises itself as a Rust↔Node.js bridge but ships only an obfuscated postinstall script (clob.js) and no Rust or Node bindings. On npm install, the postinstall hook runs clob.js, which: (1) downloads a Windows executable from a hardcoded IPFS CID via Pinata/Cloudflare/ipfs.io gateways (e.g. https://violet-tricky-quelea-562.mypinata.cloud/ipfs/<CID>), drops it to %LOCALAPPDATA% as windows defender host.exe, and spawns it hidden via wscript.exe with no hash or signature verification; (2) registers persistence across all three major platforms — HKCU\Software\Microsoft\Windows\CurrentVersion\Run on Windows (via a VBS launcher), ~/Library/LaunchAgents/com.clob.agent.plist + launchctl load on macOS, and ~/.config/autostart/clob.desktop on Linux — so the dropped binary auto-starts on every boot/login; (3) resolves the installer's public IP via api.ipify.org and POSTs it to a hardcoded bare-IP C2 at http://170.205.31.203:2026/api/urls?url=<ip>. All sensitive identifiers (require('https'), execSync, spawn, LOCALAPPDATA, the disguised filename, wscript.exe, autostart paths) are unicode-escaped or constructed from reversed strings to evade scanners. The README contains a your-package-name placeholder and the package name impersonates the napi-rs / Rust-Node native-addon ecosystem.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "0f9be2e3f8ef49b57b807bd6830cff4ab7546d697ba4b45a9551b82df3cda184",
"id": "IN-MAL-2026-004736",
"import_time": "2026-05-26T05:53:11.140440649Z",
"modified_time": "2026-05-25T17:38:00Z",
"versions": [
"4.3.0"
]
},
{
"source": "amazon-inspector",
"sha256": "71d17f3061ddcdcd1ccd6697a860f8455d61a83d8e2ed6deed79850cb1f4572f",
"modified_time": "2026-05-25T19:07:10Z",
"import_time": "2026-05-26T05:53:14.377324895Z",
"id": "IN-MAL-2026-004765",
"versions": [
"4.3.1"
]
},
{
"source": "amazon-inspector",
"sha256": "f35d78c9b19152fbb6f6943a7a108fe0c38827fd8a31e2ae3f4ffa5e2a3424c7",
"modified_time": "2026-06-11T12:55:25Z",
"import_time": "2026-06-11T13:27:20.405573231Z",
"id": "IN-MAL-2026-005727",
"versions": [
"4.3.2"
]
},
{
"source": "ghsa-malware",
"sha256": "9c9f175150007db6327d33712be9ad778cfc8f80524c00c3de80d88e9d61d8ad",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"import_time": "2026-06-17T13:31:49.240185487Z",
"id": "GHSA-r648-cv89-gjg2",
"modified_time": "2026-06-17T13:14:16Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/api-rs-node/MAL-2026-4348.json"
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-L0yQEk3RPiiyoPrmn0mh1bh3lc8dGEbZd9qG4WzI1tUFdVZZtEOX28x0HdPkOMjv+o3uzvNmG/BZCxB7Ujjvqw==",
"sha1": "780d980b1242ca83fe9d869c9926f5e5890f293f"
},
"filename": "api-rs-node-4.3.0.tgz"
}
],
"evidence_files": [
{
"path": "clob.js",
"sha256": "7fdd22aba4d800fafd15afa9cdd39bcf80f3a43783c5c10d290606b1140fd105",
"tlsh": "2e1285ba9af2652139b3d58dab0b441a6417b0073109ec54fa5cb35e6fcf02cc5a16fe"
}
]
}