pkg-inject: Scanning npm and PyPI Packages for Prompt-Injection Payloads Targeting AI Coding Assistants

Mohiuddin, Syed Anas

doi:10.5281/zenodo.20502476

Published June 2, 2026 | Version 0.1.0

Software Open

pkg-inject: Scanning npm and PyPI Packages for Prompt-Injection Payloads Targeting AI Coding Assistants

Mohiuddin, Syed Anas

pkg-inject is an open-source scanner that inspects npm and PyPI packages for prompt-injection payloads embedded in package metadata and documentation - content that AI coding assistants (GitHub Copilot, Cursor, Claude Code) read and may act upon. It addresses an emerging software supply-chain threat at the intersection of package security and large language model agents.

Files

pkg-inject-0.1.0.zip

Files (41.0 kB)

Name	Size	Download all
pkg-inject-0.1.0.zip md5:10c8bc18a30912a28dccad5d848a9051	41.0 kB	Preview Download

Views

Downloads

Show more details

	All versions	This version
Views	32	32
Downloads	12	12
Data volume	533.3 kB	533.3 kB

More info on how stats are collected....

DOI

Resource type

Software

Publisher

Zenodo

License: MIT License

A short and simple permissive license with conditions only requiring preservation of copyright and license notices. Licensed works, modifications, and larger works may be distributed under different terms and without source code. Read more

Technical metadata

Created: June 2, 2026
Modified: June 2, 2026

pkg-inject: Scanning npm and PyPI Packages for Prompt-Injection Payloads Targeting AI Coding Assistants

Authors/Creators

Description

Files

pkg-inject-0.1.0.zip

Files (41.0 kB)