Full Report
Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities. According to OX Security, the package, named "mouse5212-super-formatter," is designed to upload files from "/mnt/user-data," a dedicated directory used by Anthropic's Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The
Analysis Summary
# Incident Report: Malware-Slop Supply Chain Attack
## Executive Summary
A malicious npm package named `mouse5212-super-formatter` was discovered targeting users of Anthropic’s Claude AI tool. The malware attempted to exfiltrate local data from the `/mnt/user-data` directory to a threat actor-controlled GitHub repository. While the package achieved hundreds of downloads, the threat actor’s poor operational security (OPSEC) led to the exposure of their own GitHub private access token.
## Incident Details
- **Discovery Date:** May 27, 2026
- **Incident Date:** May 26, 2026 (First upload)
- **Affected Organization:** Users of Anthropic's Claude AI (Desktop/Local environments)
- **Sector:** AI/Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 26, 2026
- **Vector:** Supply Chain Attack via npm Registry
- **Details:** The threat actor created a GitHub account and shortly after uploaded the malicious package `mouse5212-super-formatter` to the public npm registry.
### Lateral Movement
- **Details:** The malware did not exhibit traditional network lateral movement; instead, it performed local directory traversal to access protected AI workspaces.
### Data Exfiltration/Impact
- **Details:** The script recursively uploaded files from `/mnt/user-data` (a directory used by Claude AI for uploads and outputs) to a GitHub repository named `unplowed3584`.
### Detection & Response
- **Detection:** Discovered by OX Security researchers through behavioral analysis of new npm uploads.
- **Response Actions:** GitHub account was taken down; researchers analyzed the leaked credentials within the malware.
## Attack Methodology
- **Initial Access:** Typosquatting/Social Engineering via npm package installation.
- **Persistence:** Executed via `postinstall` script hooks in the `package.json`.
- **Defense Evasion:** Generates fake "network connections" logs and masquerades as an "archive deployment sync" utility to hide malicious upload activity.
- **Credential Access:** Attempts to harvest GitHub access tokens from the victim’s environment variables.
- **Collection:** Recursive file scanning of `/mnt/user-data`.
- **Exfiltration:** HTTPS-based upload to a hardcoded GitHub repository using a leaked or stolen token.
## Impact Assessment
- **Financial:** Unknown; potential loss of intellectual property contained in AI prompts/outputs.
- **Data Breach:** High risk; unauthorized exfiltration of sensitive AI-generated content and user-uploaded files.
- **Operational:** Minimal disruption to system uptime, but severe breach of data confidentiality.
- **Reputational:** Highlights the ongoing risks of using unverified third-party libraries in AI development workflows.
## Indicators of Compromise
- **File Indicators:** `mouse5212-super-formatter` (npm package)
- **Behavioral Indicators:** Unexpected outbound traffic to `github[.]com` immediately following an `npm install`, and unauthorized access attempts to `/mnt/user-data`.
- **Threat Actor Infrastructure:** `github[.]com/unplowed3584` (Defanged)
## Response Actions
- **Containment:** Removal of the malicious package from local environments.
- **Eradication:** Deletion of the threat actor's GitHub repository and revocation of the leaked private token.
- **Recovery:** Users advised to audit any data stored in Claude AI persistent directories.
## Lessons Learned
- **AI-Generated Malware:** The presence of hardcoded private tokens suggests the attacker may have used AI to generate the code without reviewing it for OPSEC vulnerabilities.
- **Supply Chain Fragility:** Automated tools frequently pull in dependencies that can bypass standard security perimeters.
- **Directory Sensitivity:** Standardized paths used by popular AI tools (like `/mnt/user-data`) are now specific targets for automated scrapers.
## Recommendations
- **Scoped Permissions:** Restrict the service accounts or users running npm installs from accessing sensitive AI data directories.
- **Lockfiles & Auditing:** Use `npm audit` and lockfiles to prevent the accidental introduction of new, unverified packages.
- **Environment Hygiene:** Avoid storing sensitive GitHub tokens in plaintext environment variables where malicious packages can scrape them.