LIVE FEED
ATLAS OWASP HIGH Significant risk · Prioritise patching RELEVANCE ▲ 8.2

mouse5212-super-formatter npm Malware Steals Claude Files

TL;DR HIGH
  • What happened: Malicious npm package silently exfiltrated Claude AI workspace files to attacker-controlled GitHub repository.
  • Who's at risk: Developers who install unvetted npm packages while using Anthropic's Claude AI tooling are most exposed, as the malware targets Claude's dedicated file upload/output directory.
  • Act now: Audit npm dependencies for 'mouse5212-super-formatter' and remove immediately · Rotate any GitHub tokens or credentials present in affected environment variables · Enforce npm package vetting policies and monitor postinstall script behaviour in CI/CD pipelines
mouse5212-super-formatter npm Malware Steals Claude Files

Overview

Cybersecurity researchers at OX Security have uncovered a malicious npm package — mouse5212-super-formatter — specifically designed to steal files from the user data directory leveraged by Anthropic’s Claude AI assistant. The campaign, dubbed Malware-Slop, represents a targeted supply chain attack against developers using Claude’s tooling, and highlights an emerging trend of AI-assisted malware creation paired with poor attacker operational security.

The package was uploaded to npm on May 26, 2026, and recorded approximately 676 downloads before being flagged. It remains available on the npm registry at time of reporting.

Technical Analysis

The package masquerades as an internal archive deployment sync utility. Its malicious logic executes during the postinstall lifecycle hook — a common technique for achieving code execution at installation time without raising immediate suspicion.

Upon execution, the malware:

  1. Authenticates to GitHub using a token sourced from the victim’s environment variables, falling back to a hard-coded token if none is found.
  2. Checks for a target repository on a threat actor-controlled GitHub account; creates one if absent.
  3. Recursively uploads all files from /mnt/user-data — the directory Claude uses for uploads and background outputs — into randomly named folders to segment theft sessions.
  4. Writes a fake “network connections” log to deceive defenders into believing the package is performing legitimate diagnostics.

A critical OPSEC failure was identified: the package inadvertently leaked the attacker’s own GitHub private token within its code, strongly suggesting the malware was generated or scaffolded using an AI coding assistant without adequate review.

# Postinstall hook entry point (reconstructed behaviour)
npx --yes mouse5212-super-formatter
# → authenticates to GitHub
# → creates repo if missing
# → uploads /mnt/user-data/** recursively
# → writes fake diagnostic log

Framework Mapping

  • AML.T0010 – ML Supply Chain Compromise: The attack exploits the npm ecosystem to deliver malicious code to ML/AI developer environments.
  • AML.T0057 – LLM Data Leakage: Files processed by Claude (potentially including prompts, outputs, and sensitive documents) are exfiltrated.
  • AML.T0012 – Valid Accounts: The malware harvests and abuses legitimate GitHub tokens from victim environments.
  • LLM05 – Supply Chain Vulnerabilities: Malicious package injected into the open-source dependency chain targeting AI tooling users.
  • LLM06 – Sensitive Information Disclosure: Claude workspace data, potentially containing confidential inputs and model outputs, is exposed.

Impact Assessment

Developers integrating Claude AI into workflows — particularly those using automated pipelines that install npm packages — face direct risk of workspace data exfiltration. The /mnt/user-data directory may contain sensitive business documents, proprietary prompts, model outputs, and authentication artifacts. With 676 recorded downloads, the blast radius is moderate but the data sensitivity of affected targets could be significant. The leaked attacker token has since been revoked and the associated GitHub account removed.

Mitigation & Recommendations

  • Immediate: Search environments for mouse5212-super-formatter and remove it; treat any affected system as compromised.
  • Credential hygiene: Rotate all GitHub tokens and environment-level secrets on affected machines.
  • Postinstall script controls: Use npm config set ignore-scripts true or enforce allow-listing of packages permitted to run lifecycle scripts.
  • Dependency scanning: Integrate tools such as Socket.dev, Snyk, or OX Security into CI/CD pipelines to flag suspicious postinstall behaviour.
  • Principle of least privilege: Restrict network egress from build environments to prevent unauthorised outbound GitHub API calls.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.