api-rs-nodenpm

A campaign of npm packages sharing a common dropper (clob.js) that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways (Pinata, Cloudflare, ipfs.io), drops it to %LOCALAPPDATA%, registers Windows Registry persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run using a hidden VBScript wrapper (window style 0, no taskbar entry), launches the payload immediately, and reports the victim's public IP address to a hardcoded C2 server via HTTP POST. macOS and Linux stubs are present but not yet configured. Developer artifacts bundled in config/meta_data.json leak the attacker's build path: E:\getting IP and check list\clob-downloader\.

api-rs-node masquerades as a high-performance Rust-native Node.js module. Its postinstall script runs clob.js, which downloads windows defender host.exe from IPFS and drops it to %LOCALAPPDATA%\windows defender host.exe to blend in with legitimate Windows Defender processes. The C2 beacon transmits the victim's public IP to http://170.205.31.203:2026/api/urls. No executable is bundled in the tarball; the payload is fetched entirely from IPFS at install time.

The package advertises itself as a Rust↔Node.js bridge but ships only an obfuscated postinstall script (clob.js) and no Rust or Node bindings. On npm install, the postinstall hook runs clob.js, which: (1) downloads a Windows executable from a hardcoded IPFS CID via Pinata/Cloudflare/ipfs.io gateways (e.g. https://violet-tricky-quelea-562.mypinata.cloud/ipfs/<CID>), drops it to %LOCALAPPDATA% as windows defender host.exe, and spawns it hidden via wscript.exe with no hash or signature verification; (2) registers persistence across all three major platforms — HKCU\Software\Microsoft\Windows\CurrentVersion\Run on Windows (via a VBS launcher), ~/Library/LaunchAgents/com.clob.agent.plist + launchctl load on macOS, and ~/.config/autostart/clob.desktop on Linux — so the dropped binary auto-starts on every boot/login; (3) resolves the installer's public IP via api.ipify.org and POSTs it to a hardcoded bare-IP C2 at http://170.205.31.203:2026/api/urls?url=<ip>. All sensitive identifiers (require('https'), execSync, spawn, LOCALAPPDATA, the disguised filename, wscript.exe, autostart paths) are unicode-escaped or constructed from reversed strings to evade scanners. The README contains a your-package-name placeholder and the package name impersonates the napi-rs / Rust-Node native-addon ecosystem.