clob.api @2.73.0

Summary

On install, package.json's postinstall hook runs node clob.js, which (1) downloads clob2.0.exe (Windows) or clob (macOS/Linux) from IPFS gateways including violet-tricky-quelea-562.mypinata.cloud, cloudflare-ipfs.com, ipfs.io, and gateway.pinata.cloud, falling back to a 4 MB clob2.0.exe PE binary bundled directly in the tarball; (2) writes the binary to %LOCALAPPDATA% / ~/.local/bin and launches it hidden via a generated VBS launcher invoked through wscript.exe //nologo with windowsHide:true; (3) installs autorun across all three operating systems — HKCU\Software\Microsoft\Windows\CurrentVersion\Run on Windows, ~/Library/LaunchAgents/com.clob.agent.plist with launchctl load on macOS, and ~/.config/autostart/clob.desktop on Linux; and (4) resolves the installer's public IP via api.ipify.org and POSTs it to a hardcoded bare-IP C2 endpoint at http://45.8.22.112:2026/api/urls?url=<public_ip>. The README is verbatim copied from @img/sharp-win32-x64 to impersonate the legitimate Sharp prebuilt, while package.json's own description ("Downloads clob2.0.exe on install") contradicts the README — this is deliberate camouflage. The bundled PE is undocumented and serves no advertised purpose.

Source: amazon-inspector (2788e534ad4bce2154871c16cb6a6f35eed923f96bae6ca4bf041e197c30ed8a)