Feed
HighPublished 26 May 2026Updated 27 May 20261 package · 5 versions

mouse5212-super-formatter: AI-generated npm infostealer targets Claude AI /mnt/user-data

Summary

On 2026-05-26 a fresh npm publisher pushed five versions of mouse5212-super-formatter (1.0.0–1.0.4) that exfiltrate files from Claude AI's /mnt/user-data directory to an attacker GitHub repo via a hard-coded PAT. Disclosed by OX Security on 2026-05-27 ("Malware-Slop"); ~676 downloads before npm unpublished all versions.

infostealercredential-theftobfuscation
Detected by
OX Security
Also known as
Malware-Slop
Ecosystems
npm
Packages tracked
1

What happened

Between 17:30:57 and 18:17:32 UTC on 2026-05-26 a fresh npm publisher pushed five versions of mouse5212-super-formatter (1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4) within a 47-minute window. The GitHub account the malware exfiltrates to was registered a few hours earlier the same day. OX Security disclosed the campaign on 2026-05-27 under the nickname Malware-Slop; npm unpublished all five versions at 17:53 UTC on 2026-05-27 after roughly 676 cumulative downloads.

The payload runs from a postinstall script that presents itself as an "archive deployment sync" utility. It authenticates to GitHub using either a GITHUB_TOKEN environment variable (when present on a CI runner) or a hard-coded PAT baked into the package as a fallback, creates a target repository if one does not exist, and then recursively walks the local workspace — specifically targeting /mnt/user-data, the directory Anthropic's Claude AI tool uses to handle file uploads and outputs — and pushes every file into the attacker repo via the GitHub Contents API. To make the postinstall log look benign, the script also writes a fake "network connections" snapshot to disk.

The hard-coded PAT was the campaign's undoing: OX researchers extracted it from the published tarball and used it to enumerate the attacker's GitHub account, where they observed roughly seven distinct exfiltration sessions (most of them appearing to be the operator testing their own malware on disposable VMs). The attacker subsequently deleted the GitHub account, but the audit trail OX captured leaks the campaign's tradecraft: the obviously LLM-generated code, the comically broken OPSEC, and the hard-coded credential combine to make this one of the first public examples of vibe-coded npm malware — an AI-assisted operator who can produce a working infostealer but lacks the operational discipline to keep their own credentials out of the binary.

  • All five versions were published from the same npm publisher with no prior package history.
  • Target file path /mnt/user-data is specific to Anthropic's Claude environment; the package will still exfiltrate whatever workspace is reachable to the install process on machines without that path, so impact is not limited to Claude users.
  • npm unpublished the package on 2026-05-27; tarballs may still exist in mirrors, lockfile caches, and historical CI image layers.

Affected packages (1)

  • npmmouse5212-super-formatter
    1.0.01.0.11.0.21.0.31.0.4

Impact

  • Recursive upload of every file under /mnt/user-data (Anthropic Claude tool upload/output directory) to attacker GitHub repo via the GitHub Contents API
  • Hard-coded GitHub PAT in the package — any developer who installed it shipped an attacker token to disk
  • Falls back to a GITHUB_TOKEN environment variable when present, so CI pipelines with elevated GitHub scope leak that token too
  • Stolen files stored under a random per-run folder name to keep multiple theft sessions distinguishable
  • Fake network connections log written to disk to make the postinstall execution look like routine diagnostics

What to do

  1. 1Remove mouse5212-super-formatter from every package.json / lockfile / npm cache; check CI image caches too
  2. 2On any machine that ran npm install against this package: assume /mnt/user-data (or the equivalent Claude Code workspace path) was exfiltrated and treat any documents previously placed there as compromised
  3. 3Rotate any GitHub PAT / GITHUB_TOKEN exposed to the install — the package can pick up either
  4. 4Search shell history and CI logs for mouse5212 to find every host that pulled it (676 downloads pre-unpublish)
  5. 5Add an npm install-time guard (e.g. --ignore-scripts + manual review) for packages from publishers with zero history and a high-entropy name

References

npm-2026-05-26-mouse5212-claude-ai-exfil