Malicious npm Package Uses Hidden Prompt and Script to Evade AI Security Tools

Cybersecurity researchers discovered a malicious npm package named eslint-plugin-unicorn-ts-2 that attempts to evade AI-driven security scanners. The package masquerades as a TypeScript extension of the popular ESLint plugin and was uploaded by user 'hamburgerisland' in February 2024. The malicious package uses hidden prompts and scripts specifically designed to influence and bypass artificial intelligence-based security scanning tools. This represents a new evolution in supply chain attacks targeting the npm ecosystem, where attackers are now adapting their techniques to counter AI-powered security defenses.