OX Security has flagged a malicious npm package, mouse5212-super-formatter (campaign codenamed Malware-Slop), designed to exfiltrate files from /mnt/user-data - the directory Anthropic's Claude uses to handle uploads and outputs. The package presents itself as an 'archive deployment sync' utility but, during the postinstall stage, authenticates to GitHub using a token found in the victim's environment (or a hard-coded fallback), creates an attacker-controlled repository, and recursively uploads every local file. It writes a fake 'network connections' log to disguise the theft. The package leaked its own GitHub token, suggesting AI-generated malware with poor OPSEC. It has ~676 downloads and remains live on npm.
Hackers are buying Google ads that look like they go to claude.ai - and they do go to a real claude.ai page. But the page is a shared Claude chat dressed up as 'Apple Support' walking users through installing Claude on a Mac. The instructions tell people to paste a command into Terminal that quietly downloads MacSync, a Mac infostealer that grabs saved browser passwords, cookies, and contents of macOS Keychain (where Mac stores logins and keys). Because both the ad and the page are real claude.ai links, there is no fake domain to spot. Researcher Berk Albayrak first reported the campaign; BleepingComputer found a second active variant.