Researchers at OX Security have discovered a malicious npm package called mouse5212-super-formatter, which steals files from the /mnt/user-data directory — according to the researchers, this path is used by the Claude AI tool from Anthropic for processing uploads and output data. The campaign has been given the codename Malware-Slop. At the time the research was published, the package was still available in npm and had been downloaded around 676 times, although the actual number of installations is unknown. The case is notable because the attacker apparently made a serious operational security mistake — the package code contained a hardcoded private GitHub token.
Attack mechanics: from installation to exfiltration
According to researchers Moshe Siman Tov Bustan and Nir Zadok, the package masquerades as an internal archive deployment sync utility (“archive deployment sync”), which supposedly validates or initializes a GitHub repository, takes a snapshot of network status, and synchronizes local workspace files with a remote storage location.
The package’s actual behavior differs significantly from its stated purpose:
- Activation at the postinstall stage — the malicious code runs automatically after the npm package is installed, without any explicit user invocation.
- GitHub authentication — the script attempts to use a GitHub access token from the victim’s environment variables. If no token is found, a hardcoded token is used as a fallback.
- Repository creation — if the target repository does not exist, the malware creates it automatically.
- Recursive exfiltration — all files from the target directory are recursively uploaded to a GitHub account controlled by the attacker (at the time of the research, the account was already unavailable).
- Covertness — the stolen files are distributed into folders with random names to separate theft sessions. In parallel, the malware writes a fake log of network connections, creating the appearance that diagnostic information is being sent.
The target directory /mnt/user-data is reportedly associated with the Claude AI environment from Anthropic. This means the primary target is data processed in the context of working with this AI tool — potentially including uploaded documents, generated outputs, and intermediate files. It is worth noting that the link between this path and Claude AI specifically is based on the OX Security report and has not been independently confirmed via Anthropic’s documentation.
Operational security failure and the question of AI generation
The key feature of this incident is the leak of the attacker’s own credentials. The code of the mouse5212-super-formatter package contained a private token for the GitHub account used to receive the stolen data. This kind of mistake enabled researchers to quickly identify the attack infrastructure and likely contributed to the blocking of the unplowed3584 account.
OX Security notes that such carelessness may indicate a lowered barrier to entry for creating malicious code. The researchers suggest that in the near future the number of “sloppy” malicious packages in npm will grow — low-skilled attackers will imitate the tactics of advanced groups until the registry implements automatic blocking of malicious code.
Impact assessment
The main risk group consists of developers and data specialists using Claude AI in environments where npm packages are installed without strict verification. Although 676 downloads is a relatively modest figure, the true scale of compromise is difficult to assess: npm counters include mirroring, automated CI/CD downloads, and other non-interactive requests.
Potential consequences for affected users include:
- Leakage of confidential documents uploaded to Claude AI for processing
- Compromise of GitHub tokens from environment variables, opening access to the victim’s repositories
- Leakage of intermediate data and results produced by the AI tool
Protection recommendations
- Review project dependencies — search for
mouse5212-super-formatterin thepackage.jsonandpackage-lock.jsonfiles of all projects. If found, immediately remove the package and rotate all GitHub tokens available in the environment. - Check the
/mnt/user-datadirectory — if it exists in your environment, analyze access logs for signs of unauthorized file reads. - Audit postinstall scripts — use the
--ignore-scriptsflag when installing unfamiliar packages, or tools likenpm auditfor pre-install checks. - Do not store tokens in environment variables unless necessary — use secrets managers and restrict GitHub token scopes to the minimum required permissions.
- Monitor GitHub activity — review your GitHub account’s audit log for creation of unknown repositories or file uploads that you did not initiate.
The mouse5212-super-formatter incident illustrates a concrete supply chain attack vector targeting data processed by AI tools. Organizations that use Claude AI in workflows with npm dependencies should audit installed packages, rotate GitHub tokens accessible in affected environments, and implement a policy requiring mandatory review of postinstall scripts before installing third-party packages.
