How do I remediate cw-isdk if I installed it?

Remove cw-isdk from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed cw-isdk — how do I know if it already compromised me?

If cw-isdk was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is cw-isdk part of a known attack campaign?

Yes — cw-isdk is associated with the GHSA-4gjw-qxx7-crc6 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find cw-isdk across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for cw-isdk (16 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging cw-isdk across your stack and pipelines.

Malicious package

cw-isdknpm

Malicious code in cw-isdk (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-1420

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall cw-isdk

What this malware does

The package cw-isdk was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'cw-isdk' @ 20.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

16 flagged

1.0.020.0.022.0.025.0.026.0.031.0.032.0.033.0.034.0.037.0.038.0.039.0.040.0.740.0.840.0.940.1.0

Indicators of compromise (SHA-256)

a4ddcc5674d5c16f194910e57e000058bf09ed62fc7d55c77e5df1eb8f83fd92

d24aa2de1a9c568893245ad4db43225e926678014e8e8e449c5a1124ff16a533

faf17028795f038f1d2dc298ec9862ff83144b538f4cc137eb159f1d3b439533

c11546602f59c7a53394ba1379bbec5436cad4125bc4d38053ec354d685cf2ae

c40d289372b701bbc83af5302246ca9628e1c850ca415e7b4094cdcf3e765c49

c4a4dfa8d0475e93d21d819cfe8cb6989303bb457e7dea11f5b6dae4cddcedca

1ba54a67d63db10a40bc903c5f0a249e7ff3dc1f7da70b93fc10492e6db07b76

31acfd7f47028b23155766119c87fdadd94352e9a52a048e0283df75aee57bd4

4fd1bdb6bd8a8c7439fa5a5c89173c8186c9d7815ebe7acb15b3b18ecc12aaa4

298be3a18defb650677d42d53a4fd7722d962b0122d69fe859e8a4af9b3d97de

4c1deb7a212801b93ff3fb412afdbff2eb8bcf09a78698cb818d8f453da8c0e8

154bc99f76863cca23e8a1e9f9026bdcb538bb41af241bf19ec3afd83f143ec0

1ae245e63ec6751889d06ed963acaea982062cbb0011c9d9f53bd22d41e9c9fc

39ea54f67f60caa500c1642ef0370787b0c68c9cc6acd986422dafe7ee9d1e97

842d3c24c48c6e13de6c2af099c5246541ad5fb9cc163cb307f0e734d73bd8f4

92f81e73389cac9ce1946b4ceeac65323b06865a373a0a1b9d7d5be14ff5cc06

ae10c11f397ea01855bd467e8a77fc7f7ccb97477c54bfee0bae46cd5c324ca4

54e686b27022344685c371190035a9586a04498a711c2456bdd9b5644c43c833

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for cw-isdk (16 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging cw-isdk across your stack and pipelines.
If you installed it — respond
Remove cw-isdk from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If cw-isdk was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks cw-isdk before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. cw-isdk on npm has been identified as a malicious package (versions 1.0.0, 20.0.0, 22.0.0, 25.0.0, 26.0.0, 31.0.0, 32.0.0, 33.0.0, and 8 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-4gjw-qxx7-crc6

References

github.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks cw-isdk-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring