Malicious npm package targets Claude AI users, leaks own GitHub token in sloppy attack

Malware dev tries to steal Claude users' secrets, writes npm slop, leaks own GitHub private token

An npm-slop package "mouse5212-super-formatter" targeting Claude users and acting as a stealer reached 676 downloads before being removed from the registry - and after making a major vibe coding blunder. The AI-generated malware leaked its own GitHub private token, thus allowing OX Security researchers to trace the stolen files and analyze the malware before issuing this warning: "We're going to see more threat actors getting into the game - uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely." According to researchers Moshe Siman Tov Bustan and Nir Zadok, the sloppy code writer created their GitHub account earlier this month, just hours before uploading their first malicious version to npm and shortly after testing out the information-stealing capabilities on a "test" repository. The GitHub account was deleted after the attack. All versions of mouse5212-super-formatter are affected, according to the threat hunters, so if you installed it, immediately revoke your GitHub access tokens and assume any unusual files in the "/mnt/user-data" directory have been compromised. This is the storage directory that Anthropic's AI coding tool Claude uses to handle file uploads, downloads, and code/data outputs. The script purports to be an internal "archive deployment sync" utility that validates a GitHub repository, captures a "network status" snapshot, and then synchronizes local workspace files with a remote tracking tree. In reality, however, it's a stealer. "It authenticates to GitHub (using an environment token or a hardcoded fallback), checks whether a target repository exists, creates it if needed, then recursively walks a local directory and uploads every file through the GitHub Contents API," Bustan and Zadok wrote. It stores the stolen files under random per-run folder names, which allows for multiple stealing sessions, and exfiltrates the sensitive info using base64 encoding. The malware also writes a phony network connection log to make it look like a diagnostic - not theft - tool, and uses "intentionally bland" and/or technical comments and commit messages "to reduce suspicion," the researchers wrote. It does this instead of using redundant or Russian-language comments that would be a dead giveaway the attacker used AI to write the malicious code. Then again, leaking your own tokens also isn't super stealthy behavior or best practices when it comes to writing malware. ®

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities. According to OX Security, the package, named "mouse5212-super-formatter," is designed to upload files from "/mnt/user-data," a dedicated directory used by Anthropic's Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The activity has been codenamed Malware-Slop. "By analyzing the malware, it turns out that the script presents itself as an internal 'archive deployment sync' utility that validates or initializes a GitHub repository, captures a lightweight 'network status' snapshot, and then performs a structured synchronization of local workspace files into a remote tracking tree," researchers Moshe Siman Tov Bustan and Nir Zadok said. In reality, however, it authenticates to GitHub during the postinstall stage, either using a GitHub access token found in the victim's environment or a hard-coded token as a fallback, checks whether a target repository exists, and if not, creates it, and then recursively uploads every file to a threat actor-controlled GitHub account. The stolen files are stored within randomly named folders to help the operator distinguish between different theft sessions. The malware also writes a fake "network connections" log to give the impression that it's sending diagnostic information, while obscuring its true operational behavior of unauthorized collection and remote transfer of local data. The package is still available for download from npm and is estimated to have been downloaded 676 times. However, how many of these correspond to actual installs remains unclear. The GitHub account linked to the campaign is no longer available, although OX noted that it was created on May 26, 2026, a few hours before the first malicious version was uploaded to npm. What's notable about the package is that it leaked details of the GitHub account, including its private token, raising the possibility that the threat actor is using AI to generate malware while not implementing basic operational security (OPSEC) best practices. "Now that the bar to create malicious code was reduced significantly, we're going to see more threat actors getting into the game - uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely," OX Security said.