Malicious npm Package Stole Files From Claude AI User Directory via GitHub
The Hacker NewsArchived May 27, 2026✓ Full text saved
Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities. According to OX Security, the package, named "mouse5212-super-formatter," is designed to upload files from "/mnt/user-data," a dedicated directory used by Anthropic's Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The
Full text archived locally
✦ AI Summary· Claude Sonnet
Malicious npm Package Stole Files From Claude AI User Directory via GitHub
Ravie LakshmananMay 27, 2026Threat Intelligence / Supply Chain Attack
Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities.
According to OX Security, the package, named "mouse5212-super-formatter," is designed to upload files from "/mnt/user-data," a dedicated directory used by Anthropic's Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The activity has been codenamed Malware-Slop.
"By analyzing the malware, it turns out that the script presents itself as an internal 'archive deployment sync' utility that validates or initializes a GitHub repository, captures a lightweight 'network status' snapshot, and then performs a structured synchronization of local workspace files into a remote tracking tree," researchers Moshe Siman Tov Bustan and Nir Zadok said.
In reality, however, it authenticates to GitHub during the postinstall stage, either using a GitHub access token found in the victim's environment or a hard-coded token as a fallback, checks whether a target repository exists, and if not, creates it, and then recursively uploads every file to a threat actor-controlled GitHub account.
The stolen files are stored within randomly named folders to help the operator distinguish between different theft sessions. The malware also writes a fake "network connections" log to give the impression that it's sending diagnostic information, while obscuring its true operational behavior of unauthorized collection and remote transfer of local data.
The package is still available for download from npm and is estimated to have been downloaded 676 times. However, how many of these correspond to actual installs remains unclear. The GitHub account linked to the campaign is no longer available, although OX noted that it was created on May 26, 2026, a few hours before the first malicious version was uploaded to npm.
What's notable about the package is that it leaked details of the GitHub account, including its private token, raising the possibility that the threat actor is using AI to generate malware while not implementing basic operational security (OPSEC) best practices.
"Now that the bar to create malicious code was reduced significantly, we're going to see more threat actors getting into the game - uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely," OX Security said.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Anthropic, Claude AI, cybersecurity, data theft, GitHub, Malware, NPM, Open Source Security, Supply Chain Attack, Threat Intelligence
⚡ Top Stories This Week
The New Phishing Click: How OAuth Consent Bypasses MFA
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
Developer Workstations Are Now Part of the Software Supply Chain
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
Load More ▼
⭐ Featured Resources
Discover How to Navigate the Era of Constant Cyber Exposure
[Guide] Get Key Identity Security Insights From 2026 Snapshot
Claim ANY.RUN Anniversary Offer for Faster Malware Analysis
[Guide] Learn to Detect AI Typosquatting Risks in Your Domain