What's the point of pulling the package that had the private key in it? The private key is probably in the hands of miscreants now. The key needs to be revoked ASAP, and blacklisted in any browser or other software that uses that type of certificate to authenticate plugins and extensions.