How do I remediate admin0911 if I installed it?

Remove admin0911 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed admin0911 — how do I know if it already compromised me?

If admin0911 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is admin0911 part of a known attack campaign?

Yes — admin0911 is associated with the GHSA-hr5g-wqxg-m42m campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find admin0911 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for admin0911 (47 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging admin0911 across your stack and pipelines.

Malicious package

admin0911npm

Malicious code in admin0911 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-2492

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall admin0911

What this malware does

The package admin0911 was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'admin0911' @ 1.0.38 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

47 flagged

1.0.01.0.11.0.21.0.41.0.51.0.81.0.101.0.111.0.121.0.131.0.141.0.191.0.211.0.231.0.371.0.381.0.391.0.431.0.441.0.451.0.471.0.481.0.491.0.511.0.521.0.541.0.551.0.561.0.601.0.611.0.621.0.631.0.641.0.661.0.741.0.751.0.781.0.791.0.801.0.851.0.881.0.911.0.931.0.951.0.1001.1.01.1.2

Indicators of compromise (SHA-256)

3695d0f7489e83b4ec745cea51d9a057efc6c22f3f7a4b2fb6e640527d8343a4

5c85e038183d5abde236e2f52464a662b6aed5f6129c6ad6a568ec565c361f89

e18d7245ffba525783ef5adcf4e1139bbab811212ba167258d6b1c41462a3356

5400638b8f302ba0dcdf7fe2ef807b7d914e1402f7c26109b3b68e2b46af7ffd

26fac17d4076abe58d460e1e9ceaedeec2f6ba9e3daaaf1920dd84caa638a32e

cf656bb5a4d98071f7a8ab56f208cd3700efe87a7325c344eb379d8e87d8e139

428a4a04a4930c8c8d9b430fb7a3ffcff1dd4cd2cbf63727ccaf9d3c8de48936

382bdef35e36a5feec0cad981c76915cb8f875d01626bd3395bedb729e9b0486

e5e4e1fc75301ca7250ef6fced097b98d827424f1df7f2ef4a1dfe0405ec39f0

09f24ddbbcc8473b6871c3da3e69e669df9b7f643bfac2dd4b582e5962c4eecd

4faf70dade9278166dd051dda6a1a3c8bf87c810b0d206830f118dedf2ba3448

cfc467e110572f449912dbc6e27e5cdb26fbe049b8c6dd378f5c4ae7e41b156f

00544f3a87422e5d3722f08a03550e56980362172bfbe064a478724f4c50e39d

7ba859281540df54fdbc16e0fb345bcdd8992096d3aba54aa31c6968a71f421c

8516309c67b62cd05a8cec44d5bd7cb5ebceebd331c870e3589ab027bb926bb7

0f0a6fce857d51342c57c185f8d059dbad9c04f410521bd2a0c555811b57a82c

f5929b05d89b9d44dc61f8bb1a60a40fa66f3e6d6fa09ce845562163ffd251d2

a5026e814264c4520bc542d2cfe990af525e6724c2cc684ebadb95dabd1242a3

2b03020b2462366f58fbcae62d80fa2e2ac7b312dac3ebf57fd59ab7b0c4a4a7

7820c18fe358cd7a14d30da3040d1ba0ca02a2189f4fe1f84a98b9636fac5464

a76584e7e264e71950f5170fe4470e06e8ad48398335fe58a5e5523f1f33abcf

a9d3d2e1466512fccf2f526bcfc8f57f1aa0bf474431bf633d8f65d1e6c2fad2

04c5b0bd097bb02ad2646265eed64a5915e7c84af6f44e3c0bf3fceac6ec8e3d

1961aefe764eaa2339491f5bbba0bce6623f9039f47930540e7a52c93a3162ff

8c2e9219becf1d5a997b4166889751cf6da7737d9661e25516aa7b9a4afece74

30b4145d46778b93d12881e8d0d99fc6c0f021ce12a68bde4ba924ad125284db

c7229e750b5648710bbf20e1aa91f887cc53234fcec80679463d6731781a1885

f20770c413b0edb94ebd3197340b57096ece2c44821a5546aa6e13dbb57ba09e

01a2c86b50650bff2c33907d686fe824f4b4afd4b33e95885bb118ac00e5cfb3

b7d8ba2a640c047ff3933948e8e50322a6ccf3afb05e27acb64137bbeb064584

d631267d1bceb36cb2e6dad1e41ebb630184de67466e5ceef0fbe6cb4291237f

0811ed207df49a8b2f03fb524ad90d2a754df67f180eb7f78568ea1bffecb9f9

f59c404d5fd3cff9daa12f668fa89a19d33b8f4d6a8cab9a3db25695a0a79cfb

fc2dade7a4c6d70d4a224ca05fa9b464906bcd023bf0a1e7f42e47f1a2f56274

131de816e8ec55ce8cba8760646cd38392aa5d5c64d74ca83d6331ce81dc92c7

915fbcb00a56736c74fd6bac9150fe0fd41d5176bffcc38ff24e89a3dad105c5

c9038d6011ae0e0704c830183ab305f1b18b2ea56a7372db1c65e41b3d358e0a

c93f607fb900cc4883f10c39a80a488d8ee0ee91305b619c5f14a09ccd251276

f44a219b0e66b00d33cd176741bf0b22e176e9334dbb7bc1b1714e638cca5b14

bbc1f5ffdcb27f45f5932ec7fe96058c094d2fcf2f53fbe2d6fc131c53ea8882

6519e53b2233beaf25d2936c670a37dde7a5004cfde5d27953e725f0c5311500

8174f37f4557d0d978418276ca1b5ed0146a698dd4a3dc67e5a00962d0984e30

fdbe85ca32b4a6ac18bf5b64e20aec8ab349cec3035d2c5a7a53dd6d44da46db

c46732b638c390a0bcfb18114db829b60516a437a9766e5b6b12f3bc6328326e

80e723d28b01c54b7f50d22e719adb9cd9ebccc35fd1bd6c0d23d1e47de9d7dc

645de188738e4aa5552dbd60c7fe46dd0d986bac224eeae86d938bbde79b8984

ddf5c15949ca3d2a7d133980e825056903bb01428c224b084842d0a340bb11e7

5dc35261486a79b970a497afe7859ad6f18c41203df98841454f6ef218bb54f3

3b8dd74b10ddf8f43854df0999878fec4cffe7ec1e4d42e136602be00468a54c

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for admin0911 (47 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging admin0911 across your stack and pipelines.
If you installed it — respond
Remove admin0911 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If admin0911 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks admin0911 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. admin0911 on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5, 1.0.8, 1.0.10, 1.0.11, and 39 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-hr5g-wqxg-m42m

References

github.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks admin0911-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring