How do I remediate admin1001 if I installed it?

Remove admin1001 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed admin1001 — how do I know if it already compromised me?

If admin1001 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is admin1001 part of a known attack campaign?

Yes — admin1001 is associated with the GHSA-j48w-xpqc-jv3w campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find admin1001 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for admin1001 (74 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging admin1001 across your stack and pipelines.

Malicious package

admin1001npm

Malicious code in admin1001 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-246

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall admin1001

What this malware does

The package admin1001 was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'admin1001' @ 4.3.100 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

74 flagged

3.0.44.0.24.0.44.0.54.0.64.1.34.1.54.1.74.2.04.2.14.2.24.3.44.3.74.3.94.3.114.3.134.3.144.3.164.3.194.3.224.3.234.3.264.3.274.3.314.3.344.3.354.3.364.3.414.3.434.3.464.3.484.3.494.3.514.3.564.3.574.3.584.3.594.3.654.3.664.3.674.3.734.3.774.3.794.3.814.3.824.3.834.3.934.3.944.3.964.3.984.3.1004.3.1024.3.1044.3.1064.3.1084.3.1104.3.1114.3.1124.4.14.4.34.4.44.4.54.4.64.4.74.4.124.4.144.4.154.4.284.4.304.4.344.4.384.4.394.4.464.4.48

Indicators of compromise (SHA-256)

af6a4ce1a22f67fd9a970fad48a4dce0fca8cdb95dedd31c04b2301b7ccfebb6

514a5b9c51f0171cc91685f10794537ff9b73ef4abf1b3c693eb20fc071aecca

ea5543ba052d2df4b349954789e767c7473ca89ae19d619612fd1e1338dc4bd5

7e95b379bb90da7b7938edeaed6eea52fbdb9f004cef0471af9905eb355ce52b

d19f8508f323e01189aa22da892d9be745b4e6f21fa149036d12f06346f7a002

35b3f0d00f3cc1103661a404b8b50fa86738a97591ccd632365c8756cb334d11

a88c8ffcfb80fbf7776e384dd5160f2fa883ff4bc1fade5a0be0738877fc62b7

6e10c41e22acc54678ad1ca62c06d530c000bc00a4756a99e5cc3b7ce6f643d7

23544e2296e71abe4f1ea1f8c5ec87ae91b6ce2e87d9c3623c163b173b5f3f16

41e62a3e4bbf5015fd461df0f47168f97ef29ec0d6ac29616e90e50e7e048537

a73c84aa5ec6199655d8571fc573f47b71f313343ae88f8c7f83fccb9ae9161a

1e1d5f83f67308d38d00b634d936ce51d337f14ca3b23c7d5790781d8086e038

61ed46f682c8a67951947d6bc903aa21d98a43e5efa3c3bb7d1639ff4f182848

6d11740f40614c2b7ec3c79d6e74337e21aa9b715614618dbb7981d9086dfa62

95be60569016433ef6185369cd2c8f48732e9922a93874fa391f0703f8b40ea0

8f877dee83b84ed9795c341514b9b70495902605a3c8c042b8eb8608376e296a

90c772670bfeb9a7cbcece5916d560414c6977e9919db34680e33e906cef74cf

c096c577500f4c3ec0a9361add6cca67b9d4bd9ccde64dfb7e8f6360651e3057

c5d307cd84d0edcca70e3fb54411edebc9468c2167b10df5d1963817bd09f69a

29edf999fe3c0317fc9096a43f0a53ad3dca60d5be7ac4650e474f8cb586462d

2aaf1cdecdc73845cc2bcd3390997cfed4ef1bf95da10a3339ec280d35b99485

4a980a128c0fbdb522463d842ae39ae3bade32b44f823214ab5dfc4dcecef03b

c905a84ac088ce9eb34e81a66f4da20641e0ed985586d458f5c10789031e817b

46632eeba7a7fd4752f9e88aa1e672a7d191c1ac67fa6280a23d63cf6d24091d

eb66470879240d3085d2154354eff68aeea5cfeedad4e62fa37f1680522c4ff8

fc2b817c0ef7c31e4a20673a2dc681d120884a60e40368fb19221d44b54de39e

00d30067ed66fb7e6196943a450d245a67fbb8a81c40da5ad2f76e292e7b9bfd

a002dba48736c3c5cd06b00f48436aabdb14b32af3cbf26c4412f4da183c2e54

e9ec9f11bf94516bbacb0cce408daff6ca2e7e5ba91b88543d7a4fd46b42f2a4

a3973a52bf06fb176b73544aa9c59377c40a914b1b1fe772e6d762cc2c7963f7

e929118e07e2e3a6d5bbc98939b5901fa23b1094c4d653119b617933f39ff8ca

081374269529e6f454abf7a14c7e985861c757ae7f3e643d2699295d736cdf67

744cd0156d221ee89c1921edcaaf28d9811462104cda0f64744bf77fcdc72f54

b8386ac85ff7ea527176f562a05456e7d243f4dc0ecb57a7a3a8bc12c11b816c

124cdcb0004de1eafa95d827ef26a9a75c29ba11e5c4430f7a2e1bb694725271

7e58a4fe697504b99c75def7300e929484f6dd73303482b85e0bd290293a95ab

17652d50438bfecd2628f200b001d00223c9ecc812f9172f46fa43eedf95c14c

67a8c4fa174ac1e672a13c22a71901310b8df1bea60b774e5b6ea88dfa2144c1

98bab1d4a7718e5851466cea33c86b0642198dcac31f3b85dcb6b20dd9d6f8db

220b1c9eb8b3ae26e4aef21453af04692b1cf937dc6951d468db8d3131c0edf8

768d742ff8c3008308586d94a997a359204d58599890c978a2e4b806c6300c30

e9b3d6973df6c64e3388eab8e0c8ade21766941ebdf92cd1239edfaac69107eb

1b274f50f835543d7f9e6ffbf914fee6e02949a1f3642d1c71f4e8c76e5405d4

f112547b1b7054f2349820e5233edc7d64d7ffd171cc2d66250049b264356955

04559d10bbe8b5ab9cc1d3444f20e1d51f68772fc5febe52f60028474c57ed65

ebce50485ddac9b9dd4792562b17f4f02280092352b35fda08163bb6a7d956ba

ebdbe87a75bc8a1fdaa100305821df2a7c522b7c5aa8e7bb9e22a35882ead2ba

f4a8bef0b2bc1454c1b3eba50276ee087da095b846f49310c92e62d46bae7d0a

02510e627feb40d3ad03a54d1e09d11247df5d9dd6e0160403170e01f3af86b5

a54d0a5f016c45239c597ce14d6447417cbe64c93d0f551d30e46d23b8e23f3b

8acfe7c0a1c5ee106f6d1efc7197ea8eba01e61468242a9ea645500c3bb333fd

a560967605300e4880a5f5dea7376f545cbe9066166cc4015b2fcdf682b5eaf4

8da92a3f6d97c135bd9c528e4146e7fa7244f95a74b64fcc570e2a9dcb74d871

a5df03f713b1c83417dac8d2bcd29735b9a2aae143709f8441fe063e1c4a26a1

b634d7e68bed57e9c45da188f8610242dbc0230990d5475e2c37ca3c4f482d17

09dd4343c977d0047d2dc9996e14d1d285228ba24233275d9ee482478831c179

0faef4f09fbb3807dc5f4eebf252ae2f21870335feba0bb2ea495d763a52110b

3a35642da2386734190f5408d1837445336dddbb1b4dc32accc25346e8b63e8e

7c4aae5c6014f38b9375169d421fcb6da7d472f220a73f3c3170a4269b8c82e6

da353a22763d8fd0c70a67ea2bc95ebbc17235a922caef93886404b681075708

420cd98c4df8fdf512172aecd601cba396869093ce889db52f711b532cae5102

f29b91fd76e726baac1d8d40fe4dfb60a8e8b6319c0a2d769fdb18142c16d8f3

f8293f73aa8b65871018f41df7ac5f085863abae9ee8a15b031acb67468392d1

02a0b165322c3c9fe7162a4d167ffe17afcb863d960bf0bdf93a62a4bf2ee629

9d20eb133a5dff0ba23c05b7c44fb96778dd774e86d7957aa19dcb43b8fe2f91

2e2918fedc6f0da1272c60b627c24fa8eddea4887151b8dc405ceef93f7f6e2c

71e3d1ca619473e9a17c8866e4d4e2a1573379a1653fb40d674aa5630ef6c153

ded34545f67909e01fb5024f559b642ec2ef8216d9e031e3225758fb02195f7c

02717f2412f88d6a5100e30067b965a0d83839627b12408704027c2da1134c4a

9de2a9acec7114fe17d53eb19e65ecac337c46756e530fe1d95e41298cf942a0

1929cff81a9b92ea9827259d566a6fb7a6f8a7db685ef288dd8f5096a7e24c48

533be291078a53c7a50829bef39a5ff99091343772ae479dea3fde33e87fc546

eca246719ace31200ff4ed3f192cdc8bf1367800472ea665cc3866b3596e68f1

0f2b9905adb6f827cc6a54608390be72804d67cc0c06d7580d5e686897b7999e

c67e1e1483632e97bcfb216cd6ac37d5870178c8de00848a7a6de4df461951b4

2e19c4af31e55eea3be82d478468774b271484b0c7a8ba0078ad55fd8995ba91

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for admin1001 (74 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging admin1001 across your stack and pipelines.
If you installed it — respond
Remove admin1001 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If admin1001 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks admin1001 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. admin1001 on npm has been identified as a malicious package (versions 3.0.4, 4.0.2, 4.0.4, 4.0.5, 4.0.6, 4.1.3, 4.1.5, 4.1.7, and 66 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-j48w-xpqc-jv3w

References

github.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks admin1001-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring