NPM Package Tests AI Malware Scanner Evasion

Socket Threat Research discovered an npm package called shai_hulululud that embeds large comment blocks containing prompt-injection, token/context flooding, and obfuscated JavaScript to subvert AI-based malware scanners and LLM review pipelines; while the decoded payload contains provocative strings and references, researchers classify it as protestware/adversarial testing rather than a credential-stealing or destructive payload, and defenders are advised to harden LLM pipelines (strip comments, detect context flooding, fail closed, and combine with static analysis).