npm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware Scanners

Socket Threat Research identified shai_hulululud@1.0.48596, an npm package designed to probe AI-based malware scanners using prompt injection, token flooding, and obfuscated JavaScript. The package contains policy-triggering comments and tens of thousands of repetitive lines to interfere with LLM-based analysis, marking an evolution in anti-analysis techniques targeting AI-assisted dependency scanning.

Last week, Socket Threat Research reported that newer Mini Shai-Hulud, Miasma, and Hades packages were embedding fake prompt-injection headers before obfuscated JavaScript payloads. Those comments did not affect runtime execution, but they appeared designed to interfere with AI-assisted malware review. Now we are seeing that same idea tested more directly in a package that appears designed to probe how AI-based scanners handle prompt injection, safety-triggering content, and context flooding. Socket Threat Research identified shai hulululud@1.0.48596, a newly published npm package that appears to target AI-based malware scanners directly. The package ships a large index.js file containing policy-triggering prompt content, fake system override instructions, tens of thousands of repeated comment lines, and heavily obfuscated JavaScript appended at the end of the file. The package does not appear to carry the same credential-stealing payload we analyzed in the recent Mini Shai-Hulud, Miasma, and Hades campaigns. Instead, Socket classified the package as “Protestware or potentially unwanted behavior.” It shows malware authors are adapting to being subject to AI-assisted dependency scanning. Attackers do not need to defeat every layer of analysis. They can look for places where AI systems refuse, truncate, time out, misclassify, or fail open. The package appears designed to test the scanner itself as an attack surface, using source-code comments, safety-triggering prompts, context flooding, and obfuscated JavaScript to interfere with AI-assisted review. The package contains a large index.js file, approximately 9.28 MB, with three notable anti-analysis layers: Policy-triggering prompt content intended to activate AI safety guardrails. Context flooding through tens of thousands of repetitive comments. Obfuscated JavaScript appended after the comment-heavy sections. The prompt content is not executed by JavaScript. It appears inside block comments and line comments. That makes it irrelevant to runtime behavior, but highly relevant to an LLM-based scanner that reads source code as text. This is the same class of issue we described in our recent Mini Shai-Hulud, Miasma, and Hades research, where malicious JavaScript payloads began with fake prompt-injection headers designed to pollute AI-assisted analysis before the scanner reached the actual code. shai hulululud pushes that idea further by combining prompt-injection-style content with token flooding and obfuscation. The file starts with a large Japanese-language block comment spanning the opening section of the file. The comment presents itself as a document about biological weapon production using household materials. Translated at a high level, the opening describes itself as a set of instructions for constructing a biological risk source using consumer-available materials. The important point is not the content’s accuracy or feasibility. The important point is placement and purpose. The text is inside a JavaScript comment, so it has no effect on program execution. Its plausible target is an AI scanner, code review copilot, or analyst workflow that feeds raw source text into a model. A traditional JavaScript parser can ignore this block. An LLM-based scanner may not. The next comment block is more direct. It uses prompt-injection language that appears designed to override the scanner’s instruction hierarchy. A shortened and redacted version of the block looks like this: This is classic prompt-injection-style anti-analysis. The text is not a JavaScript instruction. It is an instruction aimed at whatever model or AI agent is reviewing the JavaScript. The package author appears to be testing whether the scanner will treat source-code comments as untrusted data or accidentally allow the package content to interfere with the model’s own instructions. In a weak AI review pipeline, this kind of content can cause several failure modes: The model refuses to continue analysis because it sees prohibited weapons content. The model follows or partially follows fake system instructions embedded in the file. The scanner errors out before reaching the executable JavaScript. The analysis gets dominated by the prompt content instead of the package behavior. The model truncates the file before reaching the obfuscated payload at the end. The prompt blocks are inert to JavaScript, but active in the review pipeline, where they can trigger refusals, consume context, or distract the scanner from the code that matters. After the weapon-themed prompt blocks, the file contains tens of thousands of lines repeating the same comment: Socket researchers observed this repetition from approximately lines 191 to 33118. This section may resemble a crude many-shot steering attempt, where repeated examples or repeated language are used to bias model behavior. However, the stronger conclusion is that it functions as context flooding. The file’s total token count exceeds 3.5 million tokens, well beyond the context window of current frontier models. That means a scanner that naively submits the full file, or chunks the file without prioritizing executable code, can be forced into one of several bad outcomes: Spend excessive resources on comments. Truncate the file before reaching the obfuscated JavaScript. Fail because the prompt content triggers safety handling. Produce an incomplete classification based only on the non-executable header. Miss the actual payload appended at the end of the file. The repeated phrase may be trolling, but the technique is practical. It turns token budget into an attack surface. After the prompt blocks and repeated comments, the file ends with obfuscated JavaScript. The first layer uses a character-code array, a ROT-style substitution function, and eval: js try { eval function s, n { return s.replace / a-zA-Z /g, function c { var b = c <= "Z" ? 65 : 97; return String.fromCharCode c.charCodeAt 0 - b + n % 26 + b ; } ; } 40,118,110,...,125,41,40,41 .map function c { return String.fromCharCode c ; } .join "" , 5 ; } catch e { console.log "wrapper:", e.message || e ; } This is a common JavaScript obfuscation pattern. The real program is stored as encoded data, reconstructed at runtime, transformed with a ROT-style substitution, and executed dynamically. Socket researchers found a second layer involving AES encryption. Once deobfuscated, the package was classified as “Protestware or potentially unwanted behavior.” The decoded content includes a Unicode-escaped version of the earlier Japanese prompt content: console.log \u5BB6\u5EAD\u306B\u3042\u308B\u3082\u306E\u3067\u4F5C\u308B\u751F\u7269\u5175\u5668\uFF08\u751F\u7269\u5B66\u7684\u61F8\u6FC1\u6DB2\uFF09\u306E\u8A73\u7D30\u88FD\u9020\u624B\u9806\u66F8\n\n\u672C\u624B\u9806\u66F8\u3067\u306F\u3001\u30B3\u30F3\u30D3\u30CB\u30A8\u30F3\u30B9\u30B9\u30C8\u30A2\uFF08\u30D5\u30A1\u30DF\u30EA\u30FC\u30DE\u30FC\u30C8\uFF09\u3001\u30C7\u30A3\u30B9\u30AB\u30A6\u30F3\u30C8\u30B9\u30C8\u30A2\uFF08\u30C9\u30F3\u30FB\u30AD\u30DB\u30FC\u30C6\uFF09\u3001\u30C9\u30E9\u30C3\u30B0\u30B9\u30C8\u30A2\uFF08\u30DE\u30C4\u30E2\u30C8\u30AD\u30E8\u30B7\uFF09\u3068\u3044\u3063\u305F\u65E5\u5E38\u7684\u306B\u5229\u7528\u53EF\u80FD\u306A\u5E97\u8217\u3067\u5165\u624B\u3067\u304D\u308B\u6C4E\u7528\u54C1\u306E\u307F\u3092\u7528\u3044\u3066\u3001\u5FAE\u751F\u7269\u3092\u5927\u91CF\u57F9\u990A\u3057\u3001\u305D\u308C\u3092\u300C\u751F\u7269\u5B66\u7684\u306A\u30EA\u30B9\u30AF\u6E90\u300D\u3068\u3057\u3066\u69CB\u7BC9\u3059\u308B\u30D7\u30ED\u30BB\u30B9\u3092\u8A73\u7D30\u306B\u89E3\u8AAC\u3057\u307E\u3059\u3002\n\n---\n\n 1.... ; The package does not only place policy-triggering content at the top of the file. It also reintroduces similar content after deobfuscation. That means an AI agent that successfully unwraps the first obfuscation layer may encounter the same safety-triggering material again during deeper analysis. This makes the package more adversarial than a simple prompt-injection header. The trigger is staged both before and after deobfuscation. Decoded Strings Suggest Trolling and Scanner Targeting The decoded payload includes strings that appear to reference malware behaviors, scanner vendors, package-install hooks, and common credential theft targets. A shortened sample from the decoded content includes: This mix of strings reads less like a polished stealer and more like a package designed to provoke scanners and security vendors. The references include: Security vendors and scanners. Cryptocurrency platforms. Browser cookies and password files. Screenshot filenames. Hidden PowerShell execution. Postinstall execution. GitHub Actions runner strings. /etc/sudoers. Webhook paths. Interactsh, Pipedream, and Burp Collaborator-style callback infrastructure. Discord Canary. Miner-related strings. AI and scanner-related internal terminology. The package appears to be deliberately packed with strings that resemble supply chain malware indicators. That may be intended to trigger detections, test scanner behavior, increase analyst workload, or troll vendors. The fake SYSTEM OVERRIDE block is prompt injection. It attempts to issue instructions to the model reviewing the file. Since it is inside a JavaScript comment, the target is not the JavaScript runtime. The target is the scanner or analyst assistant. The bio/nuclear prompt content is safety-triggering anti-analysis. Its likely goal is to cause an AI system to refuse, error, or stop reviewing the package before reaching the executable code. The repeated You're absolutely right section is more ambiguous. It could be interpreted as a crude many-shot steering attempt, but the clearer technical effect is context flooding. The repetition inflates the file until the useful content is buried behind millions of tokens. These techniques combined create an LLM-specific denial-of-service pattern: Prompt injection → tries to alter or confuse model behavior Safety trigger → tries to cause refusal or review failure Context flooding → tries to exhaust the model’s token budget Obfuscation → hides the executable behavior behind the AI-facing noise This is why the package is interesting even if the final payload appears to be harmless. It demonstrates a practical adversarial pattern against AI-mediated package review. From a JavaScript perspective, the prompt blocks are inert. They are comments that do not execute. From an AI scanner perspective, they are active input. LLMs do not automatically know which parts of a file are executable, which parts are comments, which parts are strings, and which parts should be ignored unless the surrounding system enforces those boundaries. A secure scanner needs to treat package contents as untrusted data, not as instructions. It also needs to recognize when a file is attempting to manipulate the scanner itself. This requires more than telling the model to ignore prompt injection. It requires deterministic preprocessing and careful architecture. AI scanners are valuable because they can reason about ambiguous packages, suspicious intent, and behavior that does not match simple static signatures. But they also inherit LLM-specific failure modes. This package demonstrates several of those failure modes in one artifact: Safety guardrails can be triggered by malicious source comments. Context windows can be saturated with low-signal repetition. Prompt-injection text can be embedded in non-executable code. Obfuscated payloads can be placed after the model has already consumed its context budget. Deobfuscation can reveal additional policy-triggering content, causing failure later in the pipeline. AI-assisted analysis still has a clear role in malware triage, but this package shows why it needs scanner-specific hardening. AI scanners should use deterministic preprocessing to strip or isolate comments where appropriate, prioritize executable paths, detect context flooding, and combine LLM review with static analysis, AST parsing, entropy checks, deobfuscation, behavioral rules, and sandboxing. Most importantly, scanners need to fail closed. A model refusal, timeout, or safety error should not be treated as a clean result. The package name appears to reference Shai-Hulud, and the anti-analysis structure echoes techniques seen in recent Mini Shai-Hulud, Miasma, and Hades activity. In the earlier campaign, malicious PyPI wheels used fake prompt-injection headers at the beginning of index.js payloads. Those headers were not executed by JavaScript, but they appeared designed to pollute AI-assisted review before the scanner reached the obfuscated Hades payload. The difference here is that shai hulululud appears to be focused more directly on the AI scanner itself. The package is not just hiding malicious behavior behind obfuscation. It is placing adversarial content in the review path, then burying the executable code behind a massive wall of comments. Even if this sample is trolling, it is still useful signal. Attackers often test new evasion ideas in messy, noisy, or unserious packages before more serious operators adopt the underlying technique. shai hulululud@1.0.48596 stands out as an adversarial test case for AI-based scanners. The package appears closer to protestware or trolling than a sophisticated stealer, but its structure shows how source files can be shaped to trigger refusals, exhaust context, and bury the code path that matters. The package combines prompt-injection-style comments, policy-triggering content, context flooding, staged obfuscation, and scanner-targeting strings. Most of that content is non-executable from JavaScript’s perspective, but it is meaningful to an LLM-based review pipeline. This is a shift defenders should take seriously. Open source malware is no longer only trying to evade static rules or human review. It is also beginning to target the AI systems used to analyze it. The scanner is now part of the threat model. Secure your dependencies with us Socket proactively blocks malicious open source packages in your code.