How do I remediate admin10001 if I installed it?

Remove admin10001 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed admin10001 — how do I know if it already compromised me?

If admin10001 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is admin10001 part of a known attack campaign?

Yes — admin10001 is associated with the GHSA-m8m9-h738-g5fh campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find admin10001 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for admin10001 (102 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging admin10001 across your stack and pipelines.

Malicious package

admin10001npm

Malicious code in admin10001 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-322

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall admin10001

What this malware does

The package admin10001 was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'admin10001' @ 1.0.107 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

102 flagged

1.0.01.0.31.0.41.0.71.0.81.0.101.0.131.0.141.0.151.0.181.0.201.0.211.0.221.0.241.0.251.0.271.0.291.0.311.0.341.0.351.0.361.0.381.0.401.0.411.0.431.0.451.0.461.0.481.0.491.0.511.0.521.0.531.0.561.0.581.0.591.0.611.0.641.0.651.0.671.0.691.0.701.0.711.0.731.0.741.0.761.0.781.0.791.0.821.0.841.0.891.0.901.0.921.0.931.0.941.0.961.0.981.0.1001.0.1051.0.1061.0.1071.0.1111.0.1131.0.1151.0.1171.0.1181.0.1201.0.1221.0.1241.0.1251.0.1261.0.1271.0.1291.0.1321.0.1331.0.1341.0.1371.0.1381.0.1411.0.1421.0.1431.0.1441.0.1451.0.1481.0.1501.0.1511.0.1531.0.1561.0.1581.0.1591.0.1611.0.1641.0.1651.0.1661.0.1711.0.1721.0.1731.0.1741.0.1771.0.1781.0.1811.0.1821.0.183

Indicators of compromise (SHA-256)

543fb72dd74b0801e24b9fc6a43ed5d9e4174a52f66aefe1d2326b3ec4479169

c41f0f4e4bc9426a89f82f30c8d33ccbd2b95dc47f1a8c79cb0ae3a2a6c7ff66

ac69c191b3d52f36cda36bc4359ae3a62f407c142b505fd6393535e822b52f59

a3e25d3ac3e77c1f6287100db0a8222ba90e55124a4128ff7136ee5e77d72266

fbba6d4c418ec45bbd5c77a2b40f1a3335b5d2bd846f2fb53ad3bcea6a64a889

e3ec3f1ce4d68547a01ee5577c5d4163890db4bba874034852b9b5e30a6c0cf1

1d08c9d7244ae2b190885a1c094d72243c46eae5cd3b638bee2e9b2ee18100e0

27fc8e3904a37e6077895c344947a72495813dcfc208b4dea2b4bb5b415e706b

66ae1ed071b8fef7052c076fb433103cc4f0081a26bc1419f303f699006d0fca

fad3da234cfebc43b5db538b45b2afd6214af829618013ee42e9a43c5c10da32

555b7350f527f78c99a5b10b702cf257d6933e6cf674a00243a4bebbd94507cf

b2bf28e629e80790dd731a7ce12881c3a910229f3217dfe11dab6ea97d389e32

c43ff6ef9b8494597d950016bf4bd40dcbecd638275e9263e57b2359e488955c

ce42e356159e6ebb423a8155b0d05c1f29db1ac276ba51567e1ba349ef222f33

ee9103c6a8c8f47561a9497f92fd1f6147c3b5ee3a5eab60aa79aed89847e86b

ffc47c76c6b9f1c6698913fb9d6c2fea00576d0363964d00d6554afe90b5e562

8ff5e7ec4443819159014997d887f5910e2fa0d12380e68f27dd7fe02268ebd4

c87cb8a8f5ae214d9f4819e47753adda465323ac66a26b79f0e9e5c539a283b4

16c76fdf8e2061f3f88a1e60e756633dcf4a8966595a80620760567f65831a69

2064ead1b4e9052cc303811c7374b83825b56837eda6dc60e43cb95af2f0a151

208c1ae77f4027350dfca2605206df85b13b658dc24890d957bbdc60f40f9396

3c04dc19dbc1db62dc9a3b9fd6d8ed26e39883880de6c5a87d615a33a3ccbb74

440bbac5c4f27ef7b2ee0288a0615fa77fe4293314ffdb4c6c8c0d78f1583249

19885823895b896b44b34561a531661b09628a7a9900a4fb9332c0859495fb84

51f810a57b93814d5268865610bf2ff3f5dfb1f269be1704acada868b4ab8601

b6d1f1d967afed49ea592048cde946c1831f0168ded0bf94c687e0dd3eb3a81b

fc67b8ddf34643f5a2e97b0e4df221d39164dabf0614f6686ab3de7017647ebe

929cd54329878cd6858e78423242aeddbd33a30a2468e2c8e9fd5864d1974812

991543df652fd7185da92e596ee3013c6c05fad74a0f71a595cd1bbce88b1d86

efb530add1c5ecb091a091420daa41b612ccd830738ac7ba75b7a1d4ef165f35

f71f93f03e71e6570a0ccf87a3ece7dbf62dd5462b951518a3c07cf065fe4886

0e7d489c0c704a2542c08b1a494b4970911af27d7cf3554e68758e023fd1275c

73fa51e1611624b69804026933fe6d6d5b0fcd327b462538cf98e9c79c5b2550

d57d805cb7bcac315645c40191a9f6189bae5dc8d4e04ffb9480521ad393b1fb

dbc4cae10057b343e1d0351197a5f2ec3a5868db2398fd9b932ee85d578bcceb

e4a1605eb8edde8bdbf8b9ff6102fc8eb47e350badb5208a6261aff54e61be0f

f888fd0354210b05cae0ba6adafe5dd47dbd1371374e07b9d7a19ea14c3f75de

360798947fd54054c509ecccc0806e40166dfff880a84a3b49f340b0801e1904

597484cf4de0ae0520e70b192353c5b8f30a3eb8011b7d9d58e774b82221d26b

7cd53ffa0b7cda490b747edc963811a28de45ef05892d345c99d4977876e2c71

d7f7f2cf09d78dbf1ab254712099d508bcf4ca877fd0cbffb875c29bfc62e3a5

0da41dfa4bd921a7005518748d378c70504ce05dba1e187770c5da74ad4e4837

1430b44a47f128fd5d5fb41cccd529631cf986837da0b9ccfdc2e43cb4e0cd2f

19c2b80ee788e263ddf0f9b07cd2852f226c907f91fc07b0f941a0f4d1f3b901

8d9c6a903ba691d2bd86d684c376059d4a3cc30768ddcb1bebb86f193814c2fb

ab7607b7d949dacae1680cb4000791e3a341924f8b2ba9da0dc473193c03b7da

d0a8fafee7fe3b2d18d37ddb21b9776ea0c6b056e58573bd8ce18991f39cc5dc

3da503f36c8d9192d9d020068b8db1ff49c164c5be19c886a98fdc3900a9f319

47c8d9e595a1819be1d5df558a25c1372ae771db8e28fa82350517e8daa17b92

bb295829c6159abbf52fbadeb6bd33b73dbccac67b235fd5dde0433aeb9816b7

da99a14eb723185e64223fdc6db454de9d178f2f68fe5ffd85eb210eb82c3c0d

20e7a90b1148f11a37a83485f7c2bf4127ecd600123a7f6a9aff0d8ec2f9f453

a290b9e631d1c85d6bcdbff8118aa4d51087bc8537f626b62006ef3ff38bfaaa

a5510f9480f8169cae5336c80eb5f0108775b195a487171713cb24eeea29f607

b7d140518be652f49a038ed0728ec6814d8c2c434a22e1d3ae955e5d8bdd07c7

065613074af4477848f512912797945118719f8a78d11e96304c37e450569850

3ed48c1606aff2e84ffe1fdaa79c62494e4fcb8c7a47e0597c3ac6fe5e135b5b

7a8b88010e39d987d9f25cd9ea93c8ade7ea21324cacec3dd173f5aae81b6692

db4638bf3a3ff59bb301562d409fd5bd419363b98758080317e3f0e345f47552

e43fcc415f5112615332d224452f5599c283baab07366e151c2276261d589118

06581108b30f673871cd404bdb0720897b2b73c1d421f612f02760e024054317

4e6a9817843761a809cf3fd1fe76da31f8844953e0c3eaaf050afc2d04ec87b4

57c3ba16eca940b07c47a4ea8d075299d1c7eee3fb9ea9a9b326c02272821057

8c15de751bb5d1f0006a71e212f335ffd74bb38189943eda1f20b6d178a87f61

b033608c424325fff07b10276f2920dcbfc9d8c2d0792b1c8e372fbf649e03db

bc672c8c239e216dc97e0afb960b626c00290ca68d4c1b58da8e01bcf7d03507

057d5b06d7be3ec1139a4f7cbba28913a60f2c294a2f844158f7a505e81a50e3

08593591df75a95659f1dfa1a733c5f48f86ee2fdb3229d5a2fecbb4d548d1a0

0b75fe7c6ad18465920677f6e7f6c7e4e8b21d64e0d6452bc99817d65fc993b3

4979c444595ddb6c13858e5bead517969f4d8d0b52a3533522785e228f8d1b26

a3ba08b26c7ce775bcd400bcb9ec3e2e24a69d8e229c425074935364cadd7c12

3232e3402d7082e7e19ebec1865e8bc803955eb1d73039dfedadb813eaf07fe2

6143fa5cc4699ddc78dadecef6fd58332dcf809f64af8d6f6419a190d8e964b8

ed0a59a1f800cf1224b6813e1544a520a99b25eca9db4bdaeceb3c34e67cbf10

ffc5842edfa21504feb5f04f899203c7d7c4db20f0498129c8ab7d63faa5600e

f50253c375671d7ed730ccd9274c9da9cccaadb2021c4675c2f769af14885bb5

40a0b0cec093a65543a56c71f39750f1cc6f8fdb81ace3c6e633d05b05a70830

96830100fcb131c3244486a041c6778616fd2dd25a17687230aef1c5edca695c

9d5ba5e5dc407e58402d25c6df9873fb88df8cb0930ca3d13d819717b1a98578

cd570fc6c4233498e2350e93058f514a00c6bc39541a7d2c3e7c482a276277c2

22a7558b1e322f37fa3d363d96e1aaded08c768f72b8fd90b18f2f80b7c2c4fa

8672caeb8f47df3104dd646404cd8e28b458d1624598e0d80d1fd42439ca828a

0950151b145e142edfb323c5c11b5886c168597e6c4ee610e01fae322e8770e7

3b207ad3f7d81eba33baf0e73a6d084e6308205694118e0e8b53ca90db90975f

7121d10eef1f9226847710eb3388f62c0310d73de9552c58596a0994e10da01d

76ef12a4be844350e27684d971d144c87a6679860bc8b1506cfffaadbf29a90c

84162e495460678d2235237f14d64beacd49479fd1d27f72c25e829433056aa5

6ecac505af062b8b61b70cef2b6250fe606d4cb97223a1dfdc083e47f78340bd

b69581a75bc5a3893fedda1a321909eeddf3a3bfc63e2a93cb602ed2256d6abd

cff45ada73c4ab37d14e0723be4f58133493b62f10763ae0a8ba8e517982a152

e9fb1231ae3cd53083313c683ab89e9a63cdaa8a14e486ae220008216b122b39

ed4a798a170a22408bd3e00a02adeeaafde408a3cf29660c0e616c570c3788eb

00371c7c4e0bf6131fc0622b400f207ea46dbc10d72777bcb034dc76b3d3c3a3

16f849793fcc6285160d559fe65947314c6d7bb02d9922df54c923f0587414a1

a7cf6c5926cd4e790090969f4518c41060affd67e9b7a240c73eadfe4fa51227

d608aabe6b4b37ceb4898e7a37cd9fcda98fcc7d99784b17ba9521a9c1158826

dee826515737ea7ded6cea7337849ccec95a9ce6a7850cce422cc2d5d2b4c39d

1f54c3bd7d64dec032b8f5a6c4e1a985fede8fefd1e4244b8d5923da31db07a7

73315c4a5483881966d3825794dd5d648fe5dd56ebc1e7768a94b6fa92fa57e5

16856438f1c5bb6b230cb87e8903e6b603fbb6016ac85e9921557e9d70204e9f

b19919b3c5e5ebb2432be9f256602e9a733e920f3d852a0322afb406819c425c

fabd7b0c29859eb3373fc29ec60b7ae35129c10d27f07b7fd336f475afbb0aeb

cd2649bb4fa68be63a9cdca6eb598a2c9b756cdfbbf050c3fa915074bccb1e1d

dc13d446931a724bb83502dcd6a100131d103739a7f43eccb645e74db533433c

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for admin10001 (102 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging admin10001 across your stack and pipelines.
If you installed it — respond
Remove admin10001 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If admin10001 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks admin10001 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. admin10001 on npm has been identified as a malicious package (versions 1.0.0, 1.0.3, 1.0.4, 1.0.7, 1.0.8, 1.0.10, 1.0.13, 1.0.14, and 94 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-m8m9-h738-g5fh

References

github.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks admin10001-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring