Threat Research
SocketDev

Socket Threat Research identified [email protected], an npm package that appears crafted to probe and disrupt AI-based malware scanners using prompt injection, safety-triggering content, context flooding, and obfuscated JavaScript. The package is closer to protestware or potentially unwanted behavior than a credential stealer, and it echoes anti-analysis ideas seen in Mini Shai-Hulud, Miasma, and Hades. #shai_hulululud #SocketThreatResearch #MiniShaiHulud #Miasma #Hades

Keypoints

  • The npm package [email protected] was identified as targeting AI-based malware scanners directly.
  • Its index.js file is about 9.28 MB and contains policy-triggering prompt content, fake system override instructions, repeated comments, and obfuscated JavaScript.
  • The embedded prompt content is placed inside JavaScript comments, making it inert at runtime but active for LLM-based scanners that read source as text.
  • Tens of thousands of repeated comment lines create context flooding, with the file exceeding 3.5 million tokens and potentially overwhelming scanner context windows.
  • Deobfuscation reveals additional policy-triggering content, showing the anti-analysis structure is staged both before and after unpacking.
  • Socket classified the package as “Protestware or potentially unwanted behavior,” not as the same type of credential-stealing payload seen in Mini Shai-Hulud, Miasma, and Hades.
  • The article argues AI-assisted scanning must fail closed and use deterministic preprocessing, static analysis, AST parsing, entropy checks, deobfuscation, behavioral rules, and sandboxing.

MITRE Techniques

  • [T1027 ] Obfuscated Files or Information – The package hides executable behavior behind encoded data, ROT-style substitution, AES-encrypted content, and eval-based runtime reconstruction. [‘heavily obfuscated JavaScript appended at the end of the file’ / ‘The real program is stored as encoded data, reconstructed at runtime, transformed with a ROT-style substitution, and executed dynamically’]
  • [T1059.007 ] JavaScript – The malicious or suspicious logic is embedded in a JavaScript npm package and executed through JavaScript constructs such as eval. [‘The package ships a large index.js file’ / ‘uses … eval’]
  • [T1204 ] User Execution – The content is designed to influence a reviewer or AI scanner into refusing, truncating, or misclassifying the file, rather than directly impacting runtime behavior. [‘designed to interfere with AI-assisted malware review’ / ‘The target is the scanner or analyst assistant’]
  • [T1027.010 ] Junk Data – The file uses tens of thousands of repetitive comment lines to flood the scanner and bury the actual payload. [‘tens of thousands of repetitive comments’ / ‘functions as context flooding’]
  • [T1055 ] Process Injection – Not directly present as code execution against a process, but the article describes fake system override instructions aimed at the scanner’s instruction hierarchy, resembling instruction hijacking in the review pipeline. [‘fake system override instructions’ / ‘designed to override the scanner’s instruction hierarchy’]

Indicators of Compromise

  • [Package name ] suspicious npm package identified in the research – [email protected]
  • [File name ] main analyzed source file containing prompt content and obfuscated code – index.js
  • [File size ] unusually large source file used for scanner flooding – approximately 9.28 MB
  • [Token count ] context-busting file size metric – more than 3.5 million tokens
  • [Encoded content ] obfuscated payload and decoded strings embedded in the file – Unicode-escaped Japanese prompt text, character-code array used with eval

Read more: https://socket.dev/blog/npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware-scanners

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint