Thanks @sebastien_picavet for this idea. I ended up with two js scripts to get the whole advisory database from GitHub (only 100 entries per request) and check against our nexus server.
fsevents < 1.2.11 was the malicous package. All other hits look like false positive (all created on github on Jun 20, 2022 and all with version >= 0 and no patched version)
Thanks @sebastien_picavet - worked out for us as well. For small findings it works. In a larger scale the firewall makes more sense. but thanks for the hint.