CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 27, 2026

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

The Hacker News Archived May 27, 2026 ✓ Full text saved

Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities. According to OX Security, the package, named "mouse5212-super-formatter," is designed to upload files from "/mnt/user-data," a dedicated directory used by Anthropic's Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The

Full text archived locally
✦ AI Summary · Claude Sonnet


    Malicious npm Package Stole Files From Claude AI User Directory via GitHub Ravie LakshmananMay 27, 2026Threat Intelligence / Supply Chain Attack Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities. According to OX Security, the package, named "mouse5212-super-formatter," is designed to upload files from "/mnt/user-data," a dedicated directory used by Anthropic's Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The activity has been codenamed Malware-Slop. "By analyzing the malware, it turns out that the script presents itself as an internal 'archive deployment sync' utility that validates or initializes a GitHub repository, captures a lightweight 'network status' snapshot, and then performs a structured synchronization of local workspace files into a remote tracking tree," researchers Moshe Siman Tov Bustan and Nir Zadok said. In reality, however, it authenticates to GitHub during the postinstall stage, either using a GitHub access token found in the victim's environment or a hard-coded token as a fallback, checks whether a target repository exists, and if not, creates it, and then recursively uploads every file to a threat actor-controlled GitHub account. The stolen files are stored within randomly named folders to help the operator distinguish between different theft sessions. The malware also writes a fake "network connections" log to give the impression that it's sending diagnostic information, while obscuring its true operational behavior of unauthorized collection and remote transfer of local data. The package is still available for download from npm and is estimated to have been downloaded 676 times. However, how many of these correspond to actual installs remains unclear. The GitHub account linked to the campaign is no longer available, although OX noted that it was created on May 26, 2026, a few hours before the first malicious version was uploaded to npm. What's notable about the package is that it leaked details of the GitHub account, including its private token, raising the possibility that the threat actor is using AI to generate malware while not implementing basic operational security (OPSEC) best practices. "Now that the bar to create malicious code was reduced significantly, we're going to see more threat actors getting into the game - uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely," OX Security said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Anthropic, Claude AI, cybersecurity, data theft, GitHub, Malware, NPM, Open Source Security, Supply Chain Attack, Threat Intelligence ⚡ Top Stories This Week The New Phishing Click: How OAuth Consent Bypasses MFA NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Developer Workstations Are Now Part of the Software Supply Chain ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems Microsoft Warns of Two Actively Exploited Defender Vulnerabilities GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension Load More ▼ ⭐ Featured Resources Discover How to Navigate the Era of Constant Cyber Exposure [Guide] Get Key Identity Security Insights From 2026 Snapshot Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    May 27, 2026
    Archived
    May 27, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗