api-rs-node @4.3.2

Summary

The package advertises itself as a Rust↔Node.js bridge but ships only an obfuscated postinstall script (clob.js) and no Rust or Node bindings. On npm install , the postinstall hook runs clob.js, which: (1) downloads a Windows executable from a hardcoded IPFS CID via Pinata/Cloudflare/ipfs.io gateways (e.g. https://violet-tricky-quelea-562.mypinata.cloud/ipfs/<CID>), drops it to %LOCALAPPDATA% as windows defender host.exe , and spawns it hidden via wscript.exe with no hash or signature verification; (2) registers persistence across all three major platforms — HKCU\Software\Microsoft\Windows\CurrentVersion\Run on Windows (via a VBS launcher), ~/Library/LaunchAgents/com.clob.agent.plist + launchctl load on macOS, and ~/.config/autostart/clob.desktop on Linux — so the dropped binary auto-starts on every boot/login; (3) resolves the installer's public IP via api.ipify.org and POSTs it to a hardcoded bare-IP C2 at http://170.205.31.203:2026/api/urls?url=<ip>. All sensitive identifiers (require('https'), execSync, spawn, LOCALAPPDATA, the disguised filename, wscript.exe, autostart paths) are unicode-escaped or constructed from reversed strings to evade scanners. The README contains a your-package-name placeholder and the package name impersonates the napi-rs / Rust-Node native-addon ecosystem.

Source: amazon-inspector (f35d78c9b19152fbb6f6943a7a108fe0c38827fd8a31e2ae3f4ffa5e2a3424c7)