MAL-2026-4348

A campaign of npm packages sharing a common dropper (`clob.js`) that downloads and persistently installs a Windows executable from IPFS on `postinstall`. The dropper fetches the binary from IPFS CID `bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa` via multiple public gateways (Pinata, Cloudflare, ipfs.io), drops it to `%LOCALAPPDATA%`, registers Windows Registry persistence under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` using a hidden VBScript wrapper (window style 0, no taskbar entry), launches the payload immediately, and reports the victim's public IP address to a hardcoded C2 server via HTTP POST. macOS and Linux stubs are present but not yet configured. Developer artifacts bundled in `config/meta_data.json` leak the attacker's build path: `E:\getting IP and check list\clob-downloader\`.

`api-rs-node` masquerades as a high-performance Rust-native Node.js module. Its `postinstall` script runs `clob.js`, which downloads `windows defender host.exe` from IPFS and drops it to `%LOCALAPPDATA%\windows defender host.exe` to blend in with legitimate Windows Defender processes. The C2 beacon transmits the victim's public IP to `http://170.205.31.203:2026/api/urls`. No executable is bundled in the tarball; the payload is fetched entirely from IPFS at install time.