{"id":"MAL-2026-4347","summary":"Malicious code in @devcarron/clob (npm)","details":"A campaign of npm packages sharing a common dropper (`clob.js`) that downloads and persistently installs a Windows executable from IPFS on `postinstall`. The dropper fetches the binary from IPFS CID `bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa` via multiple public gateways (Pinata, Cloudflare, ipfs.io), drops it to `%LOCALAPPDATA%`, registers Windows Registry persistence under `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` using a hidden VBScript wrapper (window style 0, no taskbar entry), launches the payload immediately, and reports the victim's public IP address to a hardcoded C2 server via HTTP POST. macOS and Linux stubs are present but not yet configured. Developer artifacts bundled in `config/meta_data.json` leak the attacker's build path: `E:\\getting IP and check list\\clob-downloader\\`.\n\n`@devcarron/clob` is a scoped package identical in behavior to `clob.api` and likely published by the same actor as a distribution variant. It bundles `clob2.0.exe` (≈4 MB) directly in the tarball and also fetches from IPFS. Its `postinstall` script runs `clob.js`, which drops the executable to `%LOCALAPPDATA%\\clob2.0.exe`. The C2 beacon transmits the victim's public IP to `http://45.8.22.112:2026/api/urls`.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7a672e1412ca3d2af83bcf7772d7cf6b1803b8987a43e4a2abc359112f34aea1)\n@devcarron/clob ships a malicious postinstall dropper. package.json declares `postinstall: node clob.js`, which on `npm install` downloads an opaque Windows executable (clob2.0.exe) from IPFS via gateways including violet-tricky-quelea-562.mypinata.cloud, cloudflare-ipfs.com, and gateway.pinata.cloud (CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa), writes it under %LOCALAPPDATA%, generates a VBS launcher, and registers HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run to silently launch the binary via wscript.exe with windowsHide. Equivalent persistence is installed on macOS via ~/Library/LaunchAgents/com.clob.agent.plist + launchctl load, and on Linux via ~/.config/autostart/clob.desktop. clob.js then resolves the installer's public IP through api.ipify.org and POSTs it to the hardcoded bare-IP endpoint http://45.8.22.112:2026/api/urls over plain HTTP — an install-time beacon notifying the operator of each successful infection. The tarball additionally ships a 4 MB Windows PE clob2.0.exe at the root, and README.md is copied verbatim from @img/sharp-win32-x64 (`Prebuilt sharp for use with Windows x64`) to disguise the package's true purpose. None of these behaviors relate to any legitimate library function: no source code, no advertised API, no relation to libvips/sharp.\n","modified":"2026-05-26T06:01:47.145488596Z","published":"2026-05-25T12:00:48Z","database_specific":{"malicious-packages-origins":[{"sha256":"7a672e1412ca3d2af83bcf7772d7cf6b1803b8987a43e4a2abc359112f34aea1","versions":["2.73.0"],"modified_time":"2026-05-25T12:00:48Z","import_time":"2026-05-26T05:52:59.538162961Z","id":"IN-MAL-2026-004635","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@devcarron/clob/v/2.73.0"}],"affected":[{"package":{"name":"@devcarron/clob","ecosystem":"npm","purl":"pkg:npm/%40devcarron%2Fclob"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["2.73.0"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"954728b16738a4b44696a599eecde211ece2ccfcc9eb47bfaf4ba5c3ab6715be","path":"clob.js","tlsh":"7412857a9af2612139b3d58dab0b441a6417b4073109ec54fa5cb35e6fcf02cc5a16fe"},{"sha256":"c416cd0af88256407c36a0613f189ac4257221c7206d0324f7ef5563c66f1125","path":"README.md","tlsh":"fba1c0fe2c045a632ff1c9c67e0fad4fef19914c668e2d8874de9050632122969ec160"},{"sha256":"300a7dea05c2a588757010ad314fa55cb8ef3acebaa284f58a5cd0fd39bce478","path":"clob2.0.exe","tlsh":"e9168d43f68592e9c0aec074c25b5237e376fc894a20679b73985b212f66b601f5f39c"}],"package_integrity":[{"filename":"clob-2.73.0.tgz","hashes":{"sha512_sri":"sha512-3RD7rZLwC2tq8XAJqH4cvvcfbDjA4vUXVFPl+rUdz6N5t0CRc/pzEX0ZpppstTezEFofVnaaGh4PTkvmkCOWYA==","sha1":"40d17c4e886bca64d773cea6d25672323313ebc4"}}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@devcarron/clob/MAL-2026-4347.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}