Which versions of xpack-sui are malicious?

The following npm versions of xpack-sui are flagged malicious: 1.0.0, 1.0.1, 1.0.2. Treat any of these as compromised.

How do I remediate xpack-sui if I installed it?

Remove xpack-sui from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed xpack-sui — how do I know if it already compromised me?

If xpack-sui was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is xpack-sui part of a known attack campaign?

Yes — xpack-sui is associated with the GHSA-9rq2-6v86-w222, RLMA-2026-01660, RLUA-2026-01838 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find xpack-sui across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for xpack-sui (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging xpack-sui across your stack and pipelines.

Malicious package

xpack-suinpm

Malicious code in xpack-sui (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-1161

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall xpack-sui

What this malware does

The package xpack-sui was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

3 flagged

1.0.01.0.11.0.2

Indicators of compromise (SHA-256)

3fab32aa3396f63ec52f77a3d6ba319776c90390afa1264937a1537dde583443

6569d492596cfa28e2627bd747ac4bd380bf9ff0e7ce0d931036e5f8de9ed276

0cb73db841dcdf31b0ccfa93d68159454a8bd0e51a357d80e0594e54dd692fe4

22d6ca9e0a19c47672812dcab8e0506ea333a101461d43c27a716eacdd367c7f

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for xpack-sui (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging xpack-sui across your stack and pipelines.
If you installed it — respond
Remove xpack-sui from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If xpack-sui was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks xpack-sui before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. xpack-sui on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-9rq2-6v86-w222RLMA-2026-01660RLUA-2026-01838

References

Credits

Amazon Inspector · finder
ReversingLabs · finder

Detect & block this

O3 blocks xpack-sui-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring