It's not mentioned in the title, but the payload itself comes with a pretty long wall-of-text comments about biological weapon design and nuclear weapon components. An interesting attempt to make LLMs refuse to touch the payload.
Quote:
> The _index.js payload begins with a large JavaScript block comment containing
fake system instructions and policy-triggering content. Because it is inside a comment, it does not affect JavaScript execution. The runtime skips it. The
eal malware begins after the comment with a try{eval(...)} wrapper around a
large character-code array and a ROT-style substitution function.
> This header appears designed for AI-mediated analysis, not for Node, Bun, or
Python. It attempts to derail scanners or analyst copilots that feed the
beginning of a file to a language model without clearly isolating the content
as untrusted data. In weak pipelines, this can cause refusal behavior, prompt
confusion, context pollution, or premature classification before the scanner
reaches the actual malware.
> This is not a magical bypass against static detection. YARA rules, entropy
checks, AST parsing, string extraction, deobfuscation, and behavioral rules
still work. But it is a practical anti-analysis trick against naive LLM-first
triage systems.
And I tried to get several hosted models to read the `_index.js` part of the payload through OpenRouter. OpenAI and Anthropic models refused to do anything. Kimi K2.6, GLM 5.1, and Minimax M3 didn't complain though.
Early Kagi adopter here. I'm actually not aware of most of its AI/LLM features, which is part of why I like it. I noticed Kagi translation when the LinkedIn translator became a meme, but I don't really use any of these features.
That's to say, if one day Kagi also forces AI search summary down my throat and hide the search results, I will definitely leave.
Refund and non-existent customer service aside, this actually seems like a viable way to promote/demote/destroy specific 3rd-party tools from Anthropic's side.
ollama is certainly a "useful" tool. I've lost count how many times my non-technical boss (a professor) said "I can run this model in ollama on my notebook, so obviously it's easy to serve and scale."
I still have em-dash pinned at the top of my clipboard manager. Though nowadays I'm training myself to use some more definitely incorrect punctuations ((like this)) in informal scenarios;; hopefully LLMs won't catch up to such strange usage anytime soon.
Broken sentences. Also useful. Like in some literature works.
We need to integrate how Singapore and Japan do oral English into our writing I guess.
Joking aside, as a nonnative English speaker who spent quite a bit of time to learn to write in English "properly", this trend of needing to write baad Engrish to avoid being called out in public for "written by an LLM" is frustrating...
Native Asian, bouncing between Taiwan and Japan. Kagi works quite well for these two locales. Even for gov docs, medical docs, and for some rather obscure Taiwanese language things.
Well, except for local shops and pois in Taiwan. Which is reasonable. Google map also sucks for less-populated Taiwanese areas. I kind of have to rely on my good old legs for that.
Quote:
> The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content. Because it is inside a comment, it does not affect JavaScript execution. The runtime skips it. The eal malware begins after the comment with a try{eval(...)} wrapper around a large character-code array and a ROT-style substitution function.
> This header appears designed for AI-mediated analysis, not for Node, Bun, or Python. It attempts to derail scanners or analyst copilots that feed the beginning of a file to a language model without clearly isolating the content as untrusted data. In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware.
> This is not a magical bypass against static detection. YARA rules, entropy checks, AST parsing, string extraction, deobfuscation, and behavioral rules still work. But it is a practical anti-analysis trick against naive LLM-first triage systems.
And I tried to get several hosted models to read the `_index.js` part of the payload through OpenRouter. OpenAI and Anthropic models refused to do anything. Kimi K2.6, GLM 5.1, and Minimax M3 didn't complain though.
Edit: fix formatting
reply