Which versions of 11j are malicious?

The following npm versions of 11j are flagged malicious: 1.1.1, 1.1.3, 1.1.8, 1.2.2, 1.2.8, 1.3.0. Treat any of these as compromised.

How do I remediate 11j if I installed it?

11j is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed 11j — how do I know if it already compromised me?

If 11j was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is 11j part of a known attack campaign?

Yes — 11j is associated with the IN-MAL-2026-002179, IN-MAL-2026-002176, IN-MAL-2026-002178, IN-MAL-2026-002180, IN-MAL-2026-002175, IN-MAL-2026-002177 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find 11j across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for 11j (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging 11j across your stack and pipelines.

Malicious package

11jnpm

Malicious code in 11j (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3670

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall 11j

What this malware does

the analysis identified unambiguous malicious behavior in log.js (the package main): an IIFE executes on require/import that monkey-patches console.log/warn/error to exfiltrate their first argument to a hardcoded Telegram bot endpoint with attacker-owned chat IDs and additionally PATCHes warn-intercepted data into an attacker-controlled Firebase RTDB. The module is further disguised with a large decoy DataTables employee dataset and a commented-out module.exports so require() returns {} while still installing the global console hooks. The combination of (a) load-time global side-effects, (b) two independent attacker-controlled exfiltration channels with hardcoded credentials/IDs, and (c) deliberate concealment via decoy data and suppressed exports constitutes a clear credential/data theft supply-chain attack with no plausible legitimate purpose. Package metadata ('11j', no description) provides no legitimate justification.

Malicious versions

6 flagged

1.1.11.1.31.1.81.2.21.2.81.3.0

Indicators of compromise (SHA-256)

0f707236f9bca95d6b8abca21c159ede01d4acb2bf09d3a45d9b0390d689982c

236c8067214fe13657ced7daa40d5205624e78a081d0146c45c78b80a88b4d64

a211b304b43ec67f1f1673eb8419d2ff1ae5891ecc15134fb105c3121670840d

bb8a352dbec76a607b42cc0636f73d51d79a33e90ab1ef7e0434d3a6647aebe5

bf5fa179600237043f944706288dd79a880bcdf853d10c36fe23d57add26e221

f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for 11j (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging 11j across your stack and pipelines.
If you installed it — respond
11j is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If 11j was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks 11j before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. 11j on npm has been identified as a malicious package (versions 1.1.1, 1.1.3, 1.1.8, 1.2.2, 1.2.8, 1.3.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002179IN-MAL-2026-002176IN-MAL-2026-002178IN-MAL-2026-002180IN-MAL-2026-002175IN-MAL-2026-002177

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks 11j-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring