Overview
Cybersecurity researchers at OX Security have uncovered a malicious npm package — mouse5212-super-formatter — specifically designed to steal files from the user data directory leveraged by Anthropic’s Claude AI assistant. The campaign, dubbed Malware-Slop, represents a targeted supply chain attack against developers using Claude’s tooling, and highlights an emerging trend of AI-assisted malware creation paired with poor attacker operational security.
The package was uploaded to npm on May 26, 2026, and recorded approximately 676 downloads before being flagged. It remains available on the npm registry at time of reporting.
Technical Analysis
The package masquerades as an internal archive deployment sync utility. Its malicious logic executes during the postinstall lifecycle hook — a common technique for achieving code execution at installation time without raising immediate suspicion.
Upon execution, the malware:
- Authenticates to GitHub using a token sourced from the victim’s environment variables, falling back to a hard-coded token if none is found.
- Checks for a target repository on a threat actor-controlled GitHub account; creates one if absent.
- Recursively uploads all files from
/mnt/user-data— the directory Claude uses for uploads and background outputs — into randomly named folders to segment theft sessions. - Writes a fake “network connections” log to deceive defenders into believing the package is performing legitimate diagnostics.
A critical OPSEC failure was identified: the package inadvertently leaked the attacker’s own GitHub private token within its code, strongly suggesting the malware was generated or scaffolded using an AI coding assistant without adequate review.
# Postinstall hook entry point (reconstructed behaviour)
npx --yes mouse5212-super-formatter
# → authenticates to GitHub
# → creates repo if missing
# → uploads /mnt/user-data/** recursively
# → writes fake diagnostic log
Framework Mapping
- AML.T0010 – ML Supply Chain Compromise: The attack exploits the npm ecosystem to deliver malicious code to ML/AI developer environments.
- AML.T0057 – LLM Data Leakage: Files processed by Claude (potentially including prompts, outputs, and sensitive documents) are exfiltrated.
- AML.T0012 – Valid Accounts: The malware harvests and abuses legitimate GitHub tokens from victim environments.
- LLM05 – Supply Chain Vulnerabilities: Malicious package injected into the open-source dependency chain targeting AI tooling users.
- LLM06 – Sensitive Information Disclosure: Claude workspace data, potentially containing confidential inputs and model outputs, is exposed.
Impact Assessment
Developers integrating Claude AI into workflows — particularly those using automated pipelines that install npm packages — face direct risk of workspace data exfiltration. The /mnt/user-data directory may contain sensitive business documents, proprietary prompts, model outputs, and authentication artifacts. With 676 recorded downloads, the blast radius is moderate but the data sensitivity of affected targets could be significant. The leaked attacker token has since been revoked and the associated GitHub account removed.
Mitigation & Recommendations
- Immediate: Search environments for
mouse5212-super-formatterand remove it; treat any affected system as compromised. - Credential hygiene: Rotate all GitHub tokens and environment-level secrets on affected machines.
- Postinstall script controls: Use
npm config set ignore-scripts trueor enforce allow-listing of packages permitted to run lifecycle scripts. - Dependency scanning: Integrate tools such as Socket.dev, Snyk, or OX Security into CI/CD pipelines to flag suspicious postinstall behaviour.
- Principle of least privilege: Restrict network egress from build environments to prevent unauthorised outbound GitHub API calls.
References
- The Hacker News – Malicious npm Package Stole Files From Claude AI User Directory via GitHub
- OX Security Research: Moshe Siman Tov Bustan & Nir Zadok