Malicious npm package 'mouse5212-super-formatter' steals files from Claude AI /mnt/user-data directory, exfiltrates to attacker GitHub via postinstall
OX Security has flagged a malicious npm package, mouse5212-super-formatter (campaign codenamed Malware-Slop), designed to exfiltrate files from /mnt/user-data - the directory Anthropic's Claude uses to handle uploads and outputs. The package presents itself as an 'archive deployment sync' utility but, during the postinstall stage, authenticates to GitHub using a token found in the victim's environment (or a hard-coded fallback), creates an attacker-controlled repository, and recursively uploads every local file. It writes a fake 'network connections' log to disguise the theft. The package leaked its own GitHub token, suggesting AI-generated malware with poor OPSEC. It has ~676 downloads and remains live on npm.
- Check
- Search npm install logs and CI/CD for mouse5212-super-formatter. On any host that ran it, audit /mnt/user-data access and outbound GitHub API calls. Rotate exposed GitHub tokens.
- Affected
- Developers and AI-tooling users who installed mouse5212-super-formatter (676 downloads, still live). Systems with Claude's /mnt/user-data directory and a GitHub token in the environment are the target.
- Fix
- Remove the package and pin dependencies via lockfile. Rotate every GitHub token reachable from affected hosts. Treat uploaded/output files in /mnt/user-data as potentially exfiltrated.