[ofjcihen]

Some of the latest versions of Shai Hulud do this. Worked a contract recently where they were having AI check packages for obfuscation before admitting them into Artifactory but had vibed up the logic and it failed open.

So in other words this worked because the terms caused the LLM checker to stall out and then the fail open logic resulted in the package being pulled down.

[reeece]

Seems like this?[1] Relevant bits below:

> This header appears designed for AI-mediated analysis, not for Node, Bun, or Python. It attempts to derail scanners or analyst copilots that feed the beginning of a file to a language model without clearly isolating the content as untrusted data. In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware.

> This is not a magical bypass against static detection. YARA rules, entropy checks, AST parsing, string extraction, deobfuscation, and behavioral rules still work. But it is a practical anti-analysis trick against naive LLM-first triage systems.

Would this affect many systems? You mention someone writing logic that fails open, but can't that be chalked up to just not following good security principles?

[1] - https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-wor...

[ofjcihen]

No it wouldn’t but part of the success of Shai and others like it is that it doesn’t need to.

Additionally the security scanning component of Artifactory, x-Ray is notoriously bad at this.

The developer had good intentions but by his own admission never actually examined the logic for the LLM scanner in depth.