MAL-2026-4350
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clobprice.api/MAL-2026-4350.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4350
- Published
- 2026-05-25T12:03:49Z
- Modified
- 2026-05-26T06:02:23.174380831Z
- Summary
- Malicious code in clobprice.api (npm)
- Details
-
A campaign of npm packages sharing a common dropper (
clob.js) that downloads and persistently installs a Windows executable from IPFS onpostinstall. The dropper fetches the binary from IPFS CIDbafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssavia multiple public gateways (Pinata, Cloudflare, ipfs.io), drops it to%LOCALAPPDATA%, registers Windows Registry persistence underHKCU\Software\Microsoft\Windows\CurrentVersion\Runusing a hidden VBScript wrapper (window style 0, no taskbar entry), launches the payload immediately, and reports the victim's public IP address to a hardcoded C2 server via HTTP POST. macOS and Linux stubs are present but not yet configured. Developer artifacts bundled inconfig/meta_data.jsonleak the attacker's build path:E:\getting IP and check list\clob-downloader\.clobprice.apibundleswindows defender host.exe(≈4 MB) directly in the package tarball and also attempts to fetch an identical copy from IPFS at install time. Itspostinstallscript runsclob.js, which drops the executable to%LOCALAPPDATA%\windows defender host.exe. The C2 beacon transmits the victim's public IP tohttp://45.8.22.112:2026/api/urls.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c4ebda12a1fdf81e5621aa5e045e6286238df134c83d896dd177c60abbedf7d0)
package.json declares
postinstall: node clob.jsand the package's own description states 'Downloads clob2.0.exe on install'. On install, clob.js downloads a Windows PE from anonymous IPFS gateways (violet-tricky-quelea-562.mypinata.cloud, cloudflare-ipfs.com, gateway.pinata.cloud, ipfs.io; CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa) without any hash or signature verification, writes it to %LOCALAPPDATA% as 'windows defender host.exe' to impersonate a Microsoft component, and silently launches it hidden via a VBS launcher invoked throughwscript //nologowith window style 0. A 4,035,072-byte file literally named 'windows defender host.exe' (sha256 300a7dea05c2a588757010ad314fa55cb8ef3acebaa284f58a5cd0fd39bce478) is also bundled in the tarball root as a fallback payload. Persistence is established on every supported platform: Windows registers the launcher under HKCU\Software\Microsoft\Windows\CurrentVersion\Run as 'clob'; macOS loads~/Library/LaunchAgents/com.clob.agent.plistvia launchctl; Linux writes~/.config/autostart/clob.desktop. After dropping the binary, the script resolves the installer's public IP via api.ipify.org and POSTs it over plain HTTP to the hardcoded bare IP 45.8.22.112:2026 at/api/urls?url=<ip>:80, performing victim check-in to the operator. The result is full, persistent host compromise of any machine that runsnpm install clobprice.api. - Database specific
{ "malicious-packages-origins": [ { "sha256": "576b0aea0f4f7f851d560f7247c254d18eee54a6cff513818495e7d2510e46c8", "source": "amazon-inspector", "modified_time": "2026-05-25T19:02:19Z", "import_time": "2026-05-26T05:53:14.24867966Z", "id": "IN-MAL-2026-004764", "versions": [ "2.73.2" ] }, { "source": "amazon-inspector", "sha256": "c4ebda12a1fdf81e5621aa5e045e6286238df134c83d896dd177c60abbedf7d0", "modified_time": "2026-05-25T16:48:10Z", "versions": [ "2.73.1" ], "import_time": "2026-05-26T05:53:09.956355486Z", "id": "IN-MAL-2026-004726" }, { "source": "amazon-inspector", "sha256": "ed566168c61c4bc4adfe633b1021969a9546e65dcc53b305b68365a868125fcb", "modified_time": "2026-05-25T12:03:49Z", "versions": [ "2.73.0" ], "import_time": "2026-05-26T05:52:59.814265904Z", "id": "IN-MAL-2026-004637" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
Affected packages
npm / clobprice.api
Package
- Name
- clobprice.api
- View open source insights on deps.dev
- Purl
- pkg:npm/clobprice.api
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clobprice.api/MAL-2026-4350.json"
indicators
{
"package_integrity": [
{
"filename": "clobprice.api-2.73.2.tgz",
"hashes": {
"sha1": "68c9318197099ba704569f93d898d6137cbff19d",
"sha512_sri": "sha512-EiUPPSS+Tg01D8MvsIc6u9qODTdP21rhsmuYevBFRRy/fHNRjDkV3Gu5K7xgFRsuSnNgcQRvcUVMQEpogVfw8g=="
}
}
],
"evidence_files": [
{
"path": "clob.js",
"tlsh": "2b1282ba56f3613135b3e69d9b0b840a9207b0033249ed50fa9c73552fce12c95a1bfe",
"sha256": "2fda85894e3d8d276b4d3e974eb216dbfc89ea3be7570b52afee44080724ffb3"
},
{
"sha256": "c416cd0af88256407c36a0613f189ac4257221c7206d0324f7ef5563c66f1125",
"tlsh": "fba1c0fe2c045a632ff1c9c67e0fad4fef19914c668e2d8874de9050632122969ec160",
"path": "README.md"
},
{
"path": "windows defender host.exe",
"tlsh": "e9168d43f68592e9c0aec074c25b5237e376fc894a20679b73985b212f66b601f5f39c",
"sha256": "300a7dea05c2a588757010ad314fa55cb8ef3acebaa284f58a5cd0fd39bce478"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]