Campaign report
clob dropper: three npm packages, one publisher, three-minute burst.
On 2026-05-25, npm publisher devcarron released three packages — @devcarron/clob, clob.api, and clobprice.api — within a three-minute window. Every release ships the same clob.jspostinstall dropper, the same ~1.8 MB tarball, and the same fallback IPFS fetch for a Windows executable that the package descriptions openly admit is being installed.
Affected releases
| Package@version | Published | Tarball size | OSV ID |
|---|---|---|---|
@devcarron/[email protected] | 2026-05-25T11:59:05.199Z | 1,821,870 bytes | MAL-2026-4347 |
[email protected] | 2026-05-25T12:01:02.505Z | 1,821,863 bytes | MAL-2026-4349 |
[email protected] | 2026-05-25T12:02:16.305Z | 1,821,867 bytes | MAL-2026-4350 |
What the dropper does
The postinstall hook node clob.js runs on every npm install of any of the three packages. The script invokes a bundled Windows executable shipped inside the tarball (clob2.0.exe, ~4 MB) and falls back to fetching an identical copy from an IPFS gateway if the bundled file is missing. On Windows it installs persistence via the scheduled task and startup folder mechanisms.
The clobprice.api variant renames the dropped binary at install time to windows defender host.exe — a defender-impersonation cover that would survive a casual tasklist review.
No JavaScript module is exported. The packages perform no work other than running the dropper. The README is generic boilerplate.
Indicators
| Indicator | Value | Notes |
|---|---|---|
| Publisher | devcarron | All three packages published by the same npm account within 3 minutes 11 seconds. |
| Postinstall hook | node clob.js | Identical postinstall command in every package's package.json. |
| Bundled payload | clob2.0.exe (~4 MB Windows PE) | Shipped inside the tarball; tarball sizes within 7 bytes of each other (1821863, 1821867, 1821870). |
| Disguise | "windows defender host.exe" | clobprice.api renames the dropped binary at install time to mimic a Windows Defender file path. |
| Fallback fetch | IPFS gateway hosts (e.g. violet-tricky-quelea-562.*) | If the bundled binary is missing or fails to execute, clob.js fetches an identical copy over IPFS. |
| Persistence | Windows scheduled task / startup folder | Per Amazon Inspector's analysis on the OSV record; PkgRadar does not execute install hooks so we surface this from the static script body, not from observed behavior. |
What PkgRadar detects
| Finding kind | Severity | What it sees |
|---|---|---|
install_lifecycle_remote_or_exec | High | postinstall executes `node clob.js`, which then performs remote-fetch and execute steps — direct install-time risk. |
install_lifecycle_script | Low | PkgRadar surfaces every postinstall script for review; combined with the remote-or-exec finding above this contributes to the high verdict. |
Known-malicious cross-reference | Pinned to High | All three (package, version) tuples are cross-referenced against OSV's MAL- corpus and pinned to high regardless of static score. |
A consumer with PkgRadar gated CI set to fail_on=high would have blocked every one of the three releases at PR-merge time. A gate set to fail_on=review would also have caught them by the postinstall script alone, before the OSV cross-reference even ran.
Response
- If
@devcarron/clob,clob.api, orclobprice.apiappears in anypackage-lock.jsonin your fleet — rotate any credentials on the affected hosts, hunt for the scheduled-task persistence (schtasks /Query) and thewindows defender host.exefilename in the Windows startup folder. - Block the publisher key
devcarronin any registry mirror until the campaign is contained. - The PkgRadar
publisherpage surfaces all releases bydevcarronwith their static verdicts — useful for confirming the blast radius.
References
- Public OSV records: MAL-2026-4347, MAL-2026-4349, MAL-2026-4350
- PkgRadar package pages: @devcarron/[email protected], [email protected], [email protected]
- Publisher posture: devcarron
- Static-evidence methodology: how PkgRadar maps to SOC 2, NIST SSDF, ISO 27001, EU CRA