Malicious npm package 'eslint-plugin-unicorn-ts-2' version 1.2.1, which has been installed almost 17,000 times, had an embedded prompt aimed at misleading large language model-based security scanners, reports Infosecurity Magazine.Such a package, which purports to be a TypeScript variant of the popular ESLint plugin, also featured an automated post-install hook and facilitated environment variable harvesting and exfiltration, according to Koi Security researchers. While earlier iterations of the package were determined by OpenSSF Package Analysis to be nefarious in February 2024, updates have continued as npm failed to remove the package.Such a development was noted by Koi Security to highlight inadequate vulnerability records and registry-level remediation, as well as preview more advanced supply chain threats."As LLMs become part of more security workflows, we should expect more of this. Code that doesn't just try to hide, but tries to convince the scanner that there's nothing to see," said Koi Security.
AI/ML, DevOps, Supply chain
AI security scanners targeted by novel malware-laced npm package

(Credit: Araki Illustrations – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



