How do I remediate rank4222wun if I installed it?

Remove rank4222wun from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed rank4222wun — how do I know if it already compromised me?

If rank4222wun was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is rank4222wun part of a known attack campaign?

Yes — rank4222wun is associated with the GHSA-3phq-qxp9-55pv campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find rank4222wun across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for rank4222wun (40 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging rank4222wun across your stack and pipelines.

Malicious package

rank4222wunnpm

Malicious code in rank4222wun (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-489

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall rank4222wun

What this malware does

The package rank4222wun was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'rank4222wun' @ 1.0.14 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

40 flagged

1.0.61.0.141.0.151.0.181.0.191.0.221.0.281.0.311.0.321.0.341.0.391.0.411.0.441.0.521.0.531.0.541.0.561.0.581.0.601.0.611.0.621.0.631.0.641.0.671.0.681.0.691.0.701.0.711.0.721.0.741.0.761.0.771.0.781.0.801.0.881.0.891.0.901.0.921.0.951.0.97

Indicators of compromise (SHA-256)

94a7e37c2667f0ed5ceec4dec7b247bfe5d8f169e5aa07b74dda673b623ecc4e

78ea0d6a42c918be35ffdfd313129dc3ce3cda9d75e81ba68a4d3ad7da7e9bba

a14740c2dea9d350fd9b0a1e1a5e330f7caf39befbff7649a03e50621618b638

fdea8a0efa35afa34bcd85cd36d5cc2adfd05d82c97367d96ac15e198818a03b

e25478c583ec581b62964bfe5abb5c4f418b96962dc9e8fff41f8cd8de7066c3

ca3c9dc6245fd46482782f77c954037a8734621eb12c371dac6312a9c0caa2e7

98ed53dd0045b9b3e86c869c2cf15cc608d7645505f13fac0596a1d87a6f5a51

a1a469d7bdbc5225e1dc4c6af83c408287e6de9c3bd7be96236934e3e1303d83

da0706c3ffbc0d26440f71ef3466e41bb34f8e8f3f899ab04422743b4acd36af

1d57fcde7bf1256f68df14c9c988b3cfda83cff6ba2c48fb8dcfc4169fb508e9

acab63a5f246b16c02f63ae566621e3e8434976b2874b3757f25f87b5e992a4c

1b1ca1e0c33a50f3bf0ca05ed5da8a941522e1673e17224d02001bd5cb42841b

a43f7a7cf686d7a0a3e31457b2f73b8129397a572d33f5879fbbde70e12bcfc8

8943e200fcb8e9490a807104f88b84a3de7f0755cf78db6eabf1622e2116b7bb

69ccac0f935bd51c398e4886ac3d97914a0329c9b6c3b041cc2268b388173e0b

70e1435d56ff5ef7038c1f2880442e3ee1c977301f7a081d36e3f16af9d409e8

c2861b9279e1f49b95bcf8f9369eada2a7a886510508022efc5f75abebdaafeb

703aa79bd80a6d6e5d7ecdfd169df85b806235e8ff465143013c5bae9dade1fe

4522be683084ef18f84c4073e56bff6bb4353aa3c33472e281b4069191ef9a05

408cbe6c3521287ae3f9552a9ea8fd62592e13a2083a89bc824e22a612bac7eb

943c743f8fc30f0c19edb5310b45a5f7ebcb809f65bad8311f47476aacd2c1b8

c0d33ee051697027d98626e7d326c88e097f9aed751d609127811e2be82e7485

fc2ae428a0b050512dca29bc8306a320b2bea0afaa2d1e8d2424afc9807ecb6d

e9f05b0d7d421052bc86d94239098f5db0174afbffe1de8de4647e81e2d85d07

ec135749c1ee04ad156322dfcc0d5ed91563502345810904a57ccdb91b8d5e46

f631d3e03e1485c9e24dac22bf20b59cae343f50c1904331d370e90b87eb979c

5085a7aa9fab9b039853e4a9c1a5a556a96e06a08e5df7829d22adf9506f30f3

5b8942f2c415071da9805ba9777971989143cf73ce18cb84a3c79338e1009c80

aefcff63e793b2540740d6959ddd113df0ee37f80fd4d6bf1d6d39ccdec1beba

eaf61e3dbf05429721ee76d3e42062444a9df181d1d62b1507fb97312b07ade0

23f0273b0cc0947e110233ebeaca39534603b8d443c3a584f03c1f1519d7f9c9

a6cdc45efe5f54360743f701ff9f10633268f4cd0c14bc090d300f9a55986efd

e1cae567873b37acb926f960a63efff5c6dfbdee3e7ec93d44a117793f7359d9

e666c45564048a56d3e6d0e5c91fea1b13df84ff32b3c3c454d71c188ea38405

9c34fb1cc886ba8f4dd19a4da83bb0796c5ee45f7d3c4efb6c58997bd997ea9c

6831f1dde5d2b9ab9557c2628d561b361a1f19e77b3675553b4bb7c1cb6a2986

e9ab6a6e25f8826fd90115371f264dcfd5af4dcc2e0060a53bbd133d8c0e531c

fca7f68cca11ca4236203c34637bea13ddc9c333fb87e69a6606ee439018c99c

689c7378187f52130bd67c007e7200d49f2723a0dbf3324fde79538f04c0b949

ccb2aa9e26066382df5ebc542c9cf71713e6722d335044c4d95e78c216cd70e0

b038264ab3a4c0c18b74f04b49afed8d46c5294841a752da7aa3455b32eaa8e1

e01affabf48f3b93ea4f083c8bbc6ef8bddc6364ea3de58f7e316660f4271977

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for rank4222wun (40 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging rank4222wun across your stack and pipelines.
If you installed it — respond
Remove rank4222wun from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If rank4222wun was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks rank4222wun before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. rank4222wun on npm has been identified as a malicious package (versions 1.0.6, 1.0.14, 1.0.15, 1.0.18, 1.0.19, 1.0.22, 1.0.28, 1.0.31, and 32 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-3phq-qxp9-55pv

References

github.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks rank4222wun-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring