◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-22

npm Package shai_hulululud — Proof-of-Concept AI Malware Scanner Evasion via Prompt Injection and Token Flooding

VulnerabilityMedium impactGlobal
What happened
Socket Threat Research (published June 16, 2026) analyzed the npm package shai_hulululud@1.0.48596 and found it was purpose-built to evade AI-assisted malware scanners rather than to execute a conventional payload. The package ships a large index.js containing: (1) policy-triggering prompt content and fake system-override instructions embedded in source-code comments to manipulate LLM-based scanners, (2) tens of thousands of repeated comment lines to flood the scanner's context window and exhaust its token budget, and (3) heavily obfuscated JavaScript appended at the end of the file. Socket assessed the package as protestware or an adversarial test case, not credential-stealing malware, but explicitly warned the technique is directly adoptable by more capable threat actors to conceal genuinely malicious payloads from AI-powered security review pipelines.
Why it matters
This is the first publicly documented npm package explicitly designed to attack AI-based malware scanners as a target rather than as a detection mechanism. As AI-assisted code review and supply-chain scanning becomes standard (integrated into GitHub Copilot, Socket, Snyk, and similar tools), adversaries who master scanner evasion can deliver malicious packages that pass automated AI review. The technique is directly related to the broader Shai-Hulud/Miasma/Hades campaign family that has previously delivered credential-stealing malware targeting AI/ML developers.
Attack vector
Attacker publishes npm package embedding prompt-injection instructions and context-flooding comments in source code to manipulate or neutralise LLM-based scanners, allowing obfuscated malicious JavaScript to pass automated AI security review undetected
Affected systems
AI-powered malware scanners / supply-chain security tools that use LLMs for code review (Socket, GitHub Copilot security features, Snyk AI review, etc.); any npm package ecosystem where AI-assisted review is trusted
Mitigation
Do not rely solely on AI-assisted scanning for npm package vetting; combine with static AST analysis and behavioural sandboxing. Socket has flagged and blocked the package. See Socket blog: https://socket.dev/blog/npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware-scanners
Sources
Socket Threat Research — npm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware Scanners (June 16, 2026)SecurityOnline — NPM Package Tests AI Malware Scanner Evasion (June 21, 2026)
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →