<ciso brief/>
Tag Banner

All news with #npm packages tag

all tags →

Tue, December 2, 2025

Malicious npm Package Tries to Manipulate AI Scanners

#AI Security #Prompt Injection #Typosquatting #Secrets Exposure #Supply Chain Backdoor #npm Packages

⚠️ Security researchers disclosed that an npm package, eslint-plugin-unicorn-ts-2, embeds a deceptive prompt aimed at biasing AI-driven security scanners and also contains a post-install hook that exfiltrates environment variables. Uploaded in February 2024 by user "hamburgerisland", the trojanized library has been downloaded 18,988 times and remains available; the exfiltration was introduced in v1.1.3 and persists in v1.2.1. Analysts warn this blends familiar supply-chain abuse with deliberate attempts to evade LLM-based analysis.

read more →