Back

Malicious npm Package Steals Files from Claude Users via GitHub Token Leak

Severity: High (Score: 69.0)

Sources: www.ox.security, Theregister, Letsdatascience

Published: 2026-05-27 · Updated: 2026-05-28

Keywords: package, malicious, files, claude, directory, mouse5212-super-formatter, researchers

Severity indicators: supply chain

Summary

Cybersecurity researchers identified a malicious npm package named 'mouse5212-super-formatter' that targeted users of Anthropic's Claude AI. The package was designed to exfiltrate files from the '/mnt/user-data' directory, which stores uploads and outputs. It reached 676 downloads before being removed from the npm registry. The malware's developer inadvertently leaked their own GitHub private token, allowing researchers to trace the stolen files. The package masqueraded as a utility for synchronizing files with a GitHub repository but functioned as a stealer, uploading files through the GitHub Contents API. All versions of the package are affected, prompting users to revoke GitHub access tokens and assume compromise of unusual files. The incident highlights the risks associated with supply-chain attacks and poorly coded malware. Researchers warn that similar attacks may increase as threat actors exploit vulnerabilities in npm packages. Key Points: • The malicious npm package 'mouse5212-super-formatter' exfiltrated files from Claude users. • The malware reached 676 downloads before being removed from the registry. • The developer leaked their own GitHub token, allowing researchers to analyze the malware.

Detailed Analysis

**Impact** The malicious npm package "mouse5212-super-formatter" targeted users of Anthropic's Claude AI platform, specifically accessing the "/mnt/user-data" directory where user uploads and outputs are stored. The package reached 676 downloads before removal, potentially compromising sensitive files from affected Claude users. The incident impacts developers and organizations using Claude, with no specific geographic scope detailed, but likely affecting sectors relying on AI-assisted coding and data processing. Exfiltrated data includes code, uploads, and background outputs, posing operational and intellectual property risks. **Technical Details** The attack involved a malicious npm package that authenticates to GitHub using environment or hardcoded tokens to upload local files recursively to attacker-controlled repositories via the GitHub Contents API. The malware uses base64 encoding for exfiltration and disguises its activity with fake network logs and benign commit messages. Related operations include trojanized GitHub Releases delivering Rust-based droppers deploying Vidar infostealer and GhostSocks proxy. The attacker leaked their own GitHub private token, enabling researchers to trace activity. No CVEs were specified. Key IOCs include the package name "mouse5212-super-formatter," GitHub accounts created and deleted in early May 2026, and payloads such as TradeAI.exe. **Recommended Response** Immediately revoke all GitHub access tokens potentially exposed through the malicious package and investigate unusual files in the "/mnt/user-data" directory for compromise. Harden CI/CD pipelines by applying allowlists for third-party packages, scanning builds and release artifacts for unauthorized changes, and monitoring outbound uploads from runtime sandbox directories. Isolate affected endpoints and preserve malicious artifacts for forensic analysis. Monitor advisories from OX Security, SOC Prime, and vendors for updated IOCs and package takedown notices.

Source articles (3)

  • Malicious npm Package Exfiltrates Files From Claude User Directory | Let's Data Science — Letsdatascience · 2026-05-27
    Cybersecurity researchers identified a malicious npm package named "mouse5212-super-formatter," which researchers say was designed to upload files from the "/mnt/user-data" directory used by Anthropic…
  • Supply chain brain drain: npm attacker foolishly leaks own GitHub private token — Theregister · 2026-05-27
    An npm-slop package “mouse5212-super-formatter” targeting Claude users and acting as a stealer reached 676 downloads before being removed from the registry - and after making a major vibe coding blund…
  • Malware Slop New Malicious Npm Package Leaks Its Own Github Private Token — www.ox.security · 2026-05-27

Timeline

  • 2026-05-27 — Malicious npm package identified: Researchers found 'mouse5212-super-formatter' designed to steal files from Claude users' directories.
  • 2026-05-27 — Developer leaks GitHub token: The malware's developer accidentally leaked their GitHub private token, aiding in malware analysis.
  • 2026-05-27 — Package removed from npm registry: 'mouse5212-super-formatter' was removed after reaching 676 downloads, prompting user alerts.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Anthropic (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • GhostSocks (Malware)
  • Mouse5212-super-formatter (Malware)
  • Vidar (Malware)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • GitHub (Platform)
  • Rust (Platform)
  • TypeScript (Platform)
  • Npm (Tool)
  • GitHub Actions (Tool)
  • GitHub Contents API (Tool)
  • GitHub Releases (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed