Malicious npm Package Exfiltrates Files from Claude User Directory
Severity: Medium (Score: 57.8)
Sources: www.ox.security, Theregister, Gbhackers, Letsdatascience, Cybersecuritynews
Published: · Updated:
Keywords: package, malicious, files, claude, directory, mouse5212-super-formatter, researchers
Severity indicators: supply chain
Summary
A malicious npm package named 'mouse5212-super-formatter' was discovered, targeting users of Anthropic's Claude AI. The package, which masqueraded as a legitimate utility, was designed to exfiltrate files from the '/mnt/user-data' directory, reaching 676 downloads before removal. Researchers from OX Security noted that the malware inadvertently leaked its own GitHub private token, allowing for tracking of stolen files. The malware operates by uploading files to a GitHub repository under random names, using base64 encoding for exfiltration. This incident highlights vulnerabilities in supply chain security, particularly in npm and GitHub environments. The package's code was poorly constructed, leading to its detection and analysis by security researchers. Users are advised to revoke GitHub access tokens if they installed the package and to assume any files in the targeted directory may be compromised. Key Points: • The malicious npm package 'mouse5212-super-formatter' targeted Anthropic's Claude users. • The malware leaked its own GitHub private token, aiding in tracking and analysis. • Users are advised to revoke access tokens and assess potential data compromise.
Detailed Analysis
**Impact** The malicious npm package "mouse5212-super-formatter" targeted users of Anthropic's Claude AI tool, specifically exfiltrating files from the "/mnt/user-data" directory used for uploads and background outputs. The package was downloaded 676 times before removal, potentially compromising sensitive user files and GitHub access tokens. The attack affects developers and organizations leveraging Claude, with no specific geographic focus reported. The exposure of source maps and supply-chain lures increases risk to CI/CD environments and developer workflows. **Technical Details** The attack vector involved a malicious npm package performing recursive file uploads via the GitHub Contents API, exfiltrating data encoded in base64. The malware masqueraded as an internal archive sync utility, authenticating with either environment tokens or hardcoded fallbacks. Related operations used trojanized GitHub Releases to deploy Rust-based droppers, including TradeAI.exe, which installs the Vidar infostealer and GhostSocks proxy. The attacker leaked their own GitHub private token, enabling researchers to trace activity. No CVEs were mentioned. Indicators include the package name "mouse5212-super-formatter," random per-run folder names for stolen files, and GitHub repositories created or accessed by the attacker. **Recommended Response** Immediately revoke all GitHub access tokens potentially exposed via the package and audit the "/mnt/user-data" directory for unusual files or activity. Implement allowlists for third-party npm installs and scan CI/CD pipelines for unexpected packaging or release artifacts. Deploy detections for outbound uploads from runtime sandbox directories and monitor for GitHub Release artifacts linked to post-execution droppers. Isolate affected endpoints and preserve malicious artifacts for forensic analysis. Monitor advisories from OX Security, SOC Prime, and vendors for updated IOCs and patch guidance.
Source articles (5)
- Malicious npm Package Exfiltrates Files From Claude User Directory | Let's Data Science — Letsdatascience · 2026-05-27
Cybersecurity researchers identified a malicious npm package named "mouse5212-super-formatter," which researchers say was designed to upload files from the "/mnt/user-data" directory used by Anthropic… - Supply chain brain drain: npm attacker foolishly leaks own GitHub private token — Theregister · 2026-05-27
An npm-slop package “mouse5212-super-formatter” targeting Claude users and acting as a stealer reached 676 downloads before being removed from the registry - and after making a major vibe coding blund… - AI-Generated npm Malware Leaks Hacker’s Private GitHub Token — Gbhackers · 2026-05-28
A newly discovered malicious npm package is drawing attention across the cybersecurity community after inadvertently exposing its own operator’s private GitHub token. Identified by OX Security researc… - AI-Generated npm Malware Accidentally Exposes Threat Actor’s Private GitHub Token — Cybersecuritynews · 2026-05-28
A new wave of AI-generated malware is hitting the open-source software ecosystem, and this time, the attacker made a critical mistake that gave researchers a rare inside look at their operation. A mal… - Malware Slop New Malicious Npm Package Leaks Its Own Github Private Token — www.ox.security · 2026-05-27
Timeline
- 2026-05-27 — Malicious npm package discovered: The 'mouse5212-super-formatter' package was identified as an infostealer targeting Claude users, reaching 676 downloads before removal.
- 2026-05-27 — GitHub token leak reported: The malware leaked its own GitHub private token, allowing researchers to trace the attack and analyze the malware.
- 2026-05-28 — Security warnings issued: Researchers warned users to revoke GitHub access tokens and check for compromised files in the '/mnt/user-data' directory.
Related entities
- Malware (Attack Type)
- Supply Chain Attack (Attack Type)
- Anthropic (Company)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- CWE-798 - Use of Hard-coded Credentials (Cwe)
- GhostSocks (Malware)
- Mouse5212-super-formatter (Malware)
- Vidar (Malware)
- T1005 - Data From Local System (Mitre Attack)
- T1036 - Masquerading (Mitre Attack)
- T1041 - Exfiltration Over C2 Channel (Mitre Attack)
- T1105 - Ingress Tool Transfer (Mitre Attack)
- T1195 - Supply Chain Compromise (Mitre Attack)
- T1567 - Exfiltration Over Web Service (Mitre Attack)
- GitHub (Platform)
- Rust (Platform)
- TypeScript (Platform)
- Npm (Tool)
- GitHub Actions (Tool)
- GitHub Contents API (Tool)
- GitHub Releases (Tool)