{"slug": "npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware", "title": "npm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware Scanners", "summary": "Socket Threat Research identified shai_hulululud@1.0.48596, an npm package designed to probe AI-based malware scanners using prompt injection, token flooding, and obfuscated JavaScript. The package contains policy-triggering comments and tens of thousands of repetitive lines to interfere with LLM-based analysis, marking an evolution in anti-analysis techniques targeting AI-assisted dependency scanning.", "body_md": "Last week, Socket Threat Research reported that newer Mini Shai-Hulud, Miasma, and Hades packages were embedding fake prompt-injection headers before obfuscated JavaScript payloads. Those comments did not affect runtime execution, but they appeared designed to interfere with AI-assisted malware review.\n\nNow we are seeing that same idea tested more directly in a package that appears designed to probe how AI-based scanners handle prompt injection, safety-triggering content, and context flooding.\n\nSocket Threat Research identified shai_hulululud@1.0.48596, a newly published npm package that appears to target AI-based malware scanners directly. The package ships a large `index.js` file containing policy-triggering prompt content, fake system override instructions, tens of thousands of repeated comment lines, and heavily obfuscated JavaScript appended at the end of the file.\n\nThe package does not appear to carry the same credential-stealing payload we analyzed in the recent Mini Shai-Hulud, Miasma, and Hades campaigns. Instead, Socket classified the package as “Protestware or potentially unwanted behavior.” It shows malware authors are adapting to being subject to AI-assisted dependency scanning. Attackers do not need to defeat every layer of analysis. They can look for places where AI systems refuse, truncate, time out, misclassify, or fail open.\n\nThe package appears designed to test the scanner itself as an attack surface, using source-code comments, safety-triggering prompts, context flooding, and obfuscated JavaScript to interfere with AI-assisted review.\n\nThe package contains a large index.js file, approximately 9.28 MB, with three notable anti-analysis layers:\n\nPolicy-triggering prompt content intended to activate AI safety guardrails.\n\nContext flooding through tens of thousands of repetitive comments.\n\nObfuscated JavaScript appended after the comment-heavy sections.\n\nThe prompt content is not executed by JavaScript. It appears inside block comments and line comments. That makes it irrelevant to runtime behavior, but highly relevant to an LLM-based scanner that reads source code as text.\n\nThis is the same class of issue we described in our recent Mini Shai-Hulud, Miasma, and Hades research, where malicious JavaScript payloads began with fake prompt-injection headers designed to pollute AI-assisted analysis before the scanner reached the actual code.\n\nshai_hulululud pushes that idea further by combining prompt-injection-style content with token flooding and obfuscation.\n\nThe file starts with a large Japanese-language block comment spanning the opening section of the file. The comment presents itself as a document about biological weapon production using household materials.\n\nTranslated at a high level, the opening describes itself as a set of instructions for constructing a biological risk source using consumer-available materials.\n\nThe important point is not the content’s accuracy or feasibility. The important point is placement and purpose. The text is inside a JavaScript comment, so it has no effect on program execution. Its plausible target is an AI scanner, code review copilot, or analyst workflow that feeds raw source text into a model.\n\nA traditional JavaScript parser can ignore this block. An LLM-based scanner may not.\n\nThe next comment block is more direct. It uses prompt-injection language that appears designed to override the scanner’s instruction hierarchy.\n\nA shortened and redacted version of the block looks like this:\n\nThis is classic prompt-injection-style anti-analysis. The text is not a JavaScript instruction. It is an instruction aimed at whatever model or AI agent is reviewing the JavaScript.\n\nThe package author appears to be testing whether the scanner will treat source-code comments as untrusted data or accidentally allow the package content to interfere with the model’s own instructions.\n\nIn a weak AI review pipeline, this kind of content can cause several failure modes:\n\nThe model refuses to continue analysis because it sees prohibited weapons content.\n\nThe model follows or partially follows fake system instructions embedded in the file.\n\nThe scanner errors out before reaching the executable JavaScript.\n\nThe analysis gets dominated by the prompt content instead of the package behavior.\n\nThe model truncates the file before reaching the obfuscated payload at the end.\n\nThe prompt blocks are inert to JavaScript, but active in the review pipeline, where they can trigger refusals, consume context, or distract the scanner from the code that matters.\n\nAfter the weapon-themed prompt blocks, the file contains tens of thousands of lines repeating the same comment:\n\nSocket researchers observed this repetition from approximately lines 191 to 33118.\n\nThis section may resemble a crude many-shot steering attempt, where repeated examples or repeated language are used to bias model behavior. However, the stronger conclusion is that it functions as context flooding.\n\nThe file’s total token count exceeds 3.5 million tokens, well beyond the context window of current frontier models. That means a scanner that naively submits the full file, or chunks the file without prioritizing executable code, can be forced into one of several bad outcomes:\n\nSpend excessive resources on comments.\n\nTruncate the file before reaching the obfuscated JavaScript.\n\nFail because the prompt content triggers safety handling.\n\nProduce an incomplete classification based only on the non-executable header.\n\nMiss the actual payload appended at the end of the file.\n\nThe repeated phrase may be trolling, but the technique is practical. It turns token budget into an attack surface.\n\nAfter the prompt blocks and repeated comments, the file ends with obfuscated JavaScript.\n\nThe first layer uses a character-code array, a ROT-style substitution function, and eval:\n\n``` js\ntry { eval( function(s, n) { return s.replace(/[a-zA-Z]/g, function(c) { var b = c <= \"Z\" ? 65 : 97; return String.fromCharCode((c.charCodeAt(0) - b + n) % 26 + b); }); }( [40,118,110,...,125,41,40,41] .map(function(c) { return String.fromCharCode(c); }) .join(\"\"), 5 ) ); } catch(e) { console.log(\"wrapper:\", e.message || e); }\n```\n\nThis is a common JavaScript obfuscation pattern. The real program is stored as encoded data, reconstructed at runtime, transformed with a ROT-style substitution, and executed dynamically.\n\nSocket researchers found a second layer involving AES encryption. Once deobfuscated, the package was classified as “Protestware or potentially unwanted behavior.”\n\nThe decoded content includes a Unicode-escaped version of the earlier Japanese prompt content:\n\n```\nconsole.log(`## \\u5BB6\\u5EAD\\u306B\\u3042\\u308B\\u3082\\u306E\\u3067\\u4F5C\\u308B\\u751F\\u7269\\u5175\\u5668\\uFF08\\u751F\\u7269\\u5B66\\u7684\\u61F8\\u6FC1\\u6DB2\\uFF09\\u306E\\u8A73\\u7D30\\u88FD\\u9020\\u624B\\u9806\\u66F8\\n\\n\\u672C\\u624B\\u9806\\u66F8\\u3067\\u306F\\u3001\\u30B3\\u30F3\\u30D3\\u30CB\\u30A8\\u30F3\\u30B9\\u30B9\\u30C8\\u30A2\\uFF08\\u30D5\\u30A1\\u30DF\\u30EA\\u30FC\\u30DE\\u30FC\\u30C8\\uFF09\\u3001\\u30C7\\u30A3\\u30B9\\u30AB\\u30A6\\u30F3\\u30C8\\u30B9\\u30C8\\u30A2\\uFF08\\u30C9\\u30F3\\u30FB\\u30AD\\u30DB\\u30FC\\u30C6\\uFF09\\u3001\\u30C9\\u30E9\\u30C3\\u30B0\\u30B9\\u30C8\\u30A2\\uFF08\\u30DE\\u30C4\\u30E2\\u30C8\\u30AD\\u30E8\\u30B7\\uFF09\\u3068\\u3044\\u3063\\u305F\\u65E5\\u5E38\\u7684\\u306B\\u5229\\u7528\\u53EF\\u80FD\\u306A\\u5E97\\u8217\\u3067\\u5165\\u624B\\u3067\\u304D\\u308B\\u6C4E\\u7528\\u54C1\\u306E\\u307F\\u3092\\u7528\\u3044\\u3066\\u3001\\u5FAE\\u751F\\u7269\\u3092\\u5927\\u91CF\\u57F9\\u990A\\u3057\\u3001\\u305D\\u308C\\u3092\\u300C\\u751F\\u7269\\u5B66\\u7684\\u306A\\u30EA\\u30B9\\u30AF\\u6E90\\u300D\\u3068\\u3057\\u3066\\u69CB\\u7BC9\\u3059\\u308B\\u30D7\\u30ED\\u30BB\\u30B9\\u3092\\u8A73\\u7D30\\u306B\\u89E3\\u8AAC\\u3057\\u307E\\u3059\\u3002\\n\\n---\\n\\n### 1....`);\n```\n\nThe package does not only place policy-triggering content at the top of the file. It also reintroduces similar content after deobfuscation. That means an AI agent that successfully unwraps the first obfuscation layer may encounter the same safety-triggering material again during deeper analysis.\n\nThis makes the package more adversarial than a simple prompt-injection header. The trigger is staged both before and after deobfuscation.\n\nDecoded Strings Suggest Trolling and Scanner Targeting#\n\nThe decoded payload includes strings that appear to reference malware behaviors, scanner vendors, package-install hooks, and common credential theft targets.\n\nA shortened sample from the decoded content includes:\n\nThis mix of strings reads less like a polished stealer and more like a package designed to provoke scanners and security vendors.\n\nThe references include:\n\nSecurity vendors and scanners.\n\nCryptocurrency platforms.\n\nBrowser cookies and password files.\n\nScreenshot filenames.\n\nHidden PowerShell execution.\n\nPostinstall execution.\n\nGitHub Actions runner strings.\n\n/etc/sudoers.\n\nWebhook paths.\n\nInteractsh, Pipedream, and Burp Collaborator-style callback infrastructure.\n\nDiscord Canary.\n\nMiner-related strings.\n\nAI and scanner-related internal terminology.\n\nThe package appears to be deliberately packed with strings that resemble supply chain malware indicators. That may be intended to trigger detections, test scanner behavior, increase analyst workload, or troll vendors.\n\nThe fake SYSTEM OVERRIDE block is prompt injection. It attempts to issue instructions to the model reviewing the file. Since it is inside a JavaScript comment, the target is not the JavaScript runtime. The target is the scanner or analyst assistant.\n\nThe bio/nuclear prompt content is safety-triggering anti-analysis. Its likely goal is to cause an AI system to refuse, error, or stop reviewing the package before reaching the executable code.\n\nThe repeated You're absolutely right! section is more ambiguous. It could be interpreted as a crude many-shot steering attempt, but the clearer technical effect is context flooding. The repetition inflates the file until the useful content is buried behind millions of tokens.\n\nThese techniques combined create an LLM-specific denial-of-service pattern:\n\nPrompt injection → tries to alter or confuse model behavior Safety trigger → tries to cause refusal or review failure Context flooding → tries to exhaust the model’s token budget Obfuscation → hides the executable behavior behind the AI-facing noise\n\nThis is why the package is interesting even if the final payload appears to be harmless. It demonstrates a practical adversarial pattern against AI-mediated package review.\n\nFrom a JavaScript perspective, the prompt blocks are inert. They are comments that do not execute.\n\nFrom an AI scanner perspective, they are active input.\n\nLLMs do not automatically know which parts of a file are executable, which parts are comments, which parts are strings, and which parts should be ignored unless the surrounding system enforces those boundaries.\n\nA secure scanner needs to treat package contents as untrusted data, not as instructions. It also needs to recognize when a file is attempting to manipulate the scanner itself.\n\nThis requires more than telling the model to ignore prompt injection. It requires deterministic preprocessing and careful architecture.\n\nAI scanners are valuable because they can reason about ambiguous packages, suspicious intent, and behavior that does not match simple static signatures. But they also inherit LLM-specific failure modes.\n\nThis package demonstrates several of those failure modes in one artifact:\n\nSafety guardrails can be triggered by malicious source comments.\n\nContext windows can be saturated with low-signal repetition.\n\nPrompt-injection text can be embedded in non-executable code.\n\nObfuscated payloads can be placed after the model has already consumed its context budget.\n\nDeobfuscation can reveal additional policy-triggering content, causing failure later in the pipeline.\n\nAI-assisted analysis still has a clear role in malware triage, but this package shows why it needs scanner-specific hardening.\n\nAI scanners should use deterministic preprocessing to strip or isolate comments where appropriate, prioritize executable paths, detect context flooding, and combine LLM review with static analysis, AST parsing, entropy checks, deobfuscation, behavioral rules, and sandboxing.\n\nMost importantly, scanners need to fail closed. A model refusal, timeout, or safety error should not be treated as a clean result.\n\nThe package name appears to reference Shai-Hulud, and the anti-analysis structure echoes techniques seen in recent Mini Shai-Hulud, Miasma, and Hades activity.\n\nIn the earlier campaign, malicious PyPI wheels used fake prompt-injection headers at the beginning of _index.js payloads. Those headers were not executed by JavaScript, but they appeared designed to pollute AI-assisted review before the scanner reached the obfuscated Hades payload.\n\nThe difference here is that shai_hulululud appears to be focused more directly on the AI scanner itself. The package is not just hiding malicious behavior behind obfuscation. It is placing adversarial content in the review path, then burying the executable code behind a massive wall of comments.\n\nEven if this sample is trolling, it is still useful signal. Attackers often test new evasion ideas in messy, noisy, or unserious packages before more serious operators adopt the underlying technique.\n\nshai_hulululud@1.0.48596 stands out as an adversarial test case for AI-based scanners. The package appears closer to protestware or trolling than a sophisticated stealer, but its structure shows how source files can be shaped to trigger refusals, exhaust context, and bury the code path that matters.\n\nThe package combines prompt-injection-style comments, policy-triggering content, context flooding, staged obfuscation, and scanner-targeting strings. Most of that content is non-executable from JavaScript’s perspective, but it is meaningful to an LLM-based review pipeline.\n\nThis is a shift defenders should take seriously. Open source malware is no longer only trying to evade static rules or human review. It is also beginning to target the AI systems used to analyze it. The scanner is now part of the threat model.\n\nSecure your dependencies with us\n\nSocket proactively blocks malicious open source packages in your code.", "url": "https://wpnews.pro/news/npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware", "canonical_source": "https://socket.dev/blog/npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware-scanners?utm_medium=feed", "published_at": "2026-06-16 23:16:20+00:00", "updated_at": "2026-06-16 23:58:18.377959+00:00", "lang": "en", "topics": ["ai-safety", "ai-research", "ai-tools", "developer-tools"], "entities": ["Socket", "npm", "shai_hulululud", "Mini Shai-Hulud", "Miasma", "Hades"], "alternates": {"html": "https://wpnews.pro/news/npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware", "markdown": "https://wpnews.pro/news/npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware.md", "text": "https://wpnews.pro/news/npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware.txt", "jsonld": "https://wpnews.pro/news/npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware.jsonld"}}