Cybersecurity researchers have identified a malicious package on the npm registry that was designed to steal files from directories used by Anthropic’s Claude artificial intelligence platform and upload them to attacker controlled GitHub repositories. The package, named “mouse5212-super-formatter,” was discovered by OX Security and is believed to have been built with information stealing capabilities targeting Claude AI environments. Researchers said the malware specifically accessed “/mnt/user-data,” a directory utilized by Claude for handling uploads and generated outputs in the background. OX Security has named the activity “Malware Slop,” highlighting concerns around the growing misuse of open source package registries for malicious purposes. More information about the cybersecurity company is available through OX Security’s official website at https://www.ox.security/.
According to OX Security researchers Moshe Siman Tov Bustan and Nir Zadok, the package disguised itself as an internal archive deployment synchronization utility. On the surface, it appeared to validate or initialize GitHub repositories, collect lightweight network snapshots, and synchronize local workspace files into remote tracking structures. However, deeper analysis showed that the package carried out unauthorized file theft during the post installation process. The malware reportedly authenticated to GitHub either through access tokens discovered in the victim’s environment or by using a hard coded fallback token embedded in the code. Once authenticated, it checked whether a target repository existed and created one if necessary before recursively uploading files from the victim’s machine to repositories controlled by the attacker. Researchers explained that the stolen data was stored inside randomly named folders, making it easier for operators to separate and organize data obtained from different victims.
To avoid raising suspicion, the malware generated a fake network connections log intended to create the impression that diagnostic or synchronization information was being transmitted. In reality, the package’s primary purpose was to collect files from local directories and send them remotely without user authorization. Researchers noted that the package remained available on the npm registry and had been downloaded approximately 676 times at the time of reporting, although the number of confirmed installations remains unclear. The GitHub account associated with the campaign has since been removed, but investigators found that it was created on May 26, 2026, only hours before the first malicious package version was uploaded to npm. This timeline suggests a coordinated attempt to establish malicious infrastructure quickly before distribution.
Researchers also observed an unusual operational weakness in the campaign. OX Security stated that the malware exposed details about the attacker’s GitHub account, including a private token, raising the possibility that artificial intelligence tools may have been used to generate portions of the malicious code without proper operational security practices. According to OX Security, the lower barrier to creating malicious software through artificial intelligence may lead to increased activity by less experienced threat actors publishing hastily developed malware across package ecosystems. Researchers warned that software developers and organizations relying on open source packages should strengthen package verification practices and closely inspect dependencies before installation to reduce exposure to supply chain related threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
