Skip to content

2026-02-02 — NPM package c11dff444 flagged as malware (GHSA-cpcr-74hm-pg3c)

Summary

GitHub has published a malware advisory for the NPM package c11dff444.

“Any computer that has this package installed or running should be considered fully compromised.”

  • Advisory: https://github.com/advisories/GHSA-cpcr-74hm-pg3c
  • Ecosystem: npm
  • Affected versions: >= 0
  • Patched versions: none

What to do (durable guidance)

If you find c11dff444 installed anywhere (directly or as a transitive dependency), treat it as an incident.

Immediate actions

  1. Contain
  2. Stop affected workloads (CI runner, dev machine, container, server).

  3. Preserve evidence (process list, network connections, install logs, lockfiles).

  4. Identify exposure

  5. Search across:
    • package.json
    • package-lock.json / yarn.lock / pnpm-lock.yaml
    • build images and caches

  6. Check whether it could have executed install hooks (preinstall/install/postinstall).

  7. Rotate secrets from a clean machine

  8. CI tokens, cloud credentials, SSH keys, registry tokens, app secrets.

  9. Rebuild clean

  10. Prefer re-imaging (don’t rely on “remove the package” as remediation).

Longer-term hardening

  • Use lockfiles and keep them under review.
  • Prefer ephemeral CI runners; avoid shared caches for sensitive steps.
  • Consider npm --ignore-scripts where feasible.
  • Generate SBOMs and scan/attest builds.