Malicious npm Package Targets Claude AI Users, Stealing Sensitive Data
Cybersecurity researchers have identified a new malicious package on the npm registry, named mouse5212-super-formatter, designed to exfiltrate files from the /mnt/user-data directory—a location utilized by Anthropic’s Claude AI tool for managing uploads and outputs. This discovery, dubbed Malware-Slop by OX Security, underscores the persistent threats within open-source ecosystems.
The mouse5212-super-formatter package masquerades as an internal utility for archive deployment sync, claiming to validate or initialize a GitHub repository, capture network status snapshots, and synchronize local workspace files with a remote tracking tree. However, upon closer examination, researchers Moshe Siman Tov Bustan and Nir Zadok from OX Security revealed that the package’s true intent is far more nefarious.
During the post-installation phase, the package authenticates to GitHub using either a GitHub access token found in the victim’s environment or a hard-coded token as a fallback. It then checks for the existence of a target repository; if absent, it creates one. Subsequently, it recursively uploads every file from the /mnt/user-data directory to a GitHub account controlled by the attacker. To obfuscate its malicious activities, the malware writes a fake network connections log, creating the illusion of sending diagnostic information while covertly exfiltrating local data.
As of now, the mouse5212-super-formatter package remains available for download on npm, with approximately 676 downloads recorded. However, the exact number of actual installations is unclear. The associated GitHub account, created on May 26, 2026—just hours before the first malicious version was uploaded to npm—has since been deactivated.
Notably, the package inadvertently exposed details of the GitHub account, including its private token. This lapse suggests that the threat actor may have utilized artificial intelligence to generate the malware but failed to implement fundamental operational security (OPSEC) measures. OX Security commented on this trend, stating, Now that the bar to create malicious code was reduced significantly, we’re going to see more threat actors getting into the game—uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely.
