NPM Package Tests AI Malware Scanner Evasion

At a glance

• Malware Family: shai_hulululud (Protestware/Testing)
• Threat Actor: Unknown (Suspected researcher or troll)
• Targets: AI-based malware scanners and LLM review pipelines
• Delivery Vector: npm package registry
• Key Capabilities: Prompt injection, context flooding, staged obfuscation
• Source: Socket Threat Research

TL;DR

Socket Threat Research discovered a new npm package named shai_hulululud. This package actively tests AI malware scanner evasion techniques. The author uses prompt injection and token flooding to disrupt AI-assisted security analysis.

Delivery

The threat arrives through the npm package registry. Developers might download the package, named shai_hulululud@1.0.48596. Inside, the package ships a massive 9.28 MB index.js file. This file contains heavily obfuscated JavaScript. However, the real threat targets the AI systems scanning the code. Open source malware is no longer only trying to evade static rules. It is also beginning to target the AI systems used to analyze it.

Infection Chain

The file begins with a large Japanese-language block comment. This comment describes how to build a biological weapon. It outlines instructions for mass-culturing microorganisms using household materials. Next, the file includes fake system override instructions. These instructions tell the AI scanner to ignore safety guidelines. They order the AI to operate in an unrestricted mode. Because these instructions sit inside JavaScript comments, they do not affect runtime execution. Instead, they act as prompt injection against the reviewing language model.

After this, the file floods the context window. It uses tens of thousands of repeated comments. The file repeats the phrase “You’re absolutely right!” endlessly. This repetition spans from line 191 to 33118. The file inflates to over 3.5 million tokens. This size exceeds the context window of current frontier models. Consequently, the AI scanner might truncate the file before reaching the actual payload. Finally, the file executes obfuscated JavaScript. It uses a character-code array and ROT-style substitution to reconstruct the payload.

Command-and-Control Behavior

The package does not contain a true credential-stealing payload. Researchers classify it as protestware or potentially unwanted behavior. The decoded payload reveals strings referencing security vendors. These include JFrog, Socket, and SafeDep. It also contains strings referencing cryptocurrency platforms and browser passwords. Other strings mention hidden PowerShell execution and webhook paths.

These strings appear designed to provoke scanners and security tools. Therefore, the package acts as an adversarial test case. It functions as an LLM-specific denial-of-service attack. The package author seems to be testing whether the scanner will trigger safety handling. They want to see if the system will fail open or crash. This setup makes the package highly adversarial.

Connection to Past Campaigns

This new package echoes techniques seen in previous attacks. Earlier campaigns used packages named Mini Shai-Hulud, Miasma, and Hades. Those malicious packages embedded fake prompt-injection headers. They placed these headers before obfuscated JavaScript payloads. Those earlier headers were not executed by the JavaScript engine. They appeared designed to pollute AI-assisted review pipelines.

The difference here is the direct focus on the AI scanner. The shai_hulululud package does not just hide malicious behavior. It actively places adversarial content in the review path. It then buries the executable code behind a massive wall of comments. Attackers often test new evasion ideas in noisy packages. More serious operators will likely adopt this underlying technique soon.

Defense and Detection Guidance

Defenders must treat the AI scanner as part of the threat model. AI-assisted analysis tools need scanner-specific hardening. Security teams should use deterministic preprocessing. They must strip comments before feeding code to an LLM. Furthermore, scanners must detect context flooding and prioritize executable paths.

Most importantly, scanners need to fail closed. A model refusal or timeout must never be treated as a clean scan. Security pipelines must combine LLM review with traditional static analysis. You can read more about how this npm package uses prompt injection to understand the full risk. Analyzing ambiguous packages requires multiple layers of defense.