@devcarron/clobnpm

A campaign of npm packages sharing a common dropper (clob.js) that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways (Pinata, Cloudflare, ipfs.io), drops it to %LOCALAPPDATA%, registers Windows Registry persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run using a hidden VBScript wrapper (window style 0, no taskbar entry), launches the payload immediately, and reports the victim's public IP address to a hardcoded C2 server via HTTP POST. macOS and Linux stubs are present but not yet configured. Developer artifacts bundled in config/meta_data.json leak the attacker's build path: E:\getting IP and check list\clob-downloader\.

@devcarron/clob is a scoped package identical in behavior to clob.api and likely published by the same actor as a distribution variant. It bundles clob2.0.exe (≈4 MB) directly in the tarball and also fetches from IPFS. Its postinstall script runs clob.js, which drops the executable to %LOCALAPPDATA%\clob2.0.exe. The C2 beacon transmits the victim's public IP to http://45.8.22.112:2026/api/urls.

@devcarron/clob ships a malicious postinstall dropper. package.json declares postinstall: node clob.js, which on npm install downloads an opaque Windows executable (clob2.0.exe) from IPFS via gateways including violet-tricky-quelea-562.mypinata.cloud, cloudflare-ipfs.com, and gateway.pinata.cloud (CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa), writes it under %LOCALAPPDATA%, generates a VBS launcher, and registers HKCU\Software\Microsoft\Windows\CurrentVersion\Run to silently launch the binary via wscript.exe with windowsHide. Equivalent persistence is installed on macOS via ~/Library/LaunchAgents/com.clob.agent.plist + launchctl load, and on Linux via ~/.config/autostart/clob.desktop. clob.js then resolves the installer's public IP through api.ipify.org and POSTs it to the hardcoded bare-IP endpoint http://45.8.22.112:2026/api/urls over plain HTTP — an install-time beacon notifying the operator of each successful infection. The tarball additionally ships a 4 MB Windows PE clob2.0.exe at the root, and README.md is copied verbatim from @img/sharp-win32-x64 (Prebuilt sharp for use with Windows x64) to disguise the package's true purpose. None of these behaviors relate to any legitimate library function: no source code, no advertised API, no relation to libvips/sharp.