A piece of malware just exfiltrated files from a Claude AI working directory, uploaded them to GitHub, and accidentally shipped its own private access token in the package. That’s not a hypothetical supply chain nightmare — it’s mouse5212-super-formatter, an npm package that researchers at OX Security flagged on May 27, 2026, and it tells a bigger story about where attacker tradecraft is heading. The bar for writing functional malware just dropped through the floor, and the people walking through that door aren’t always competent enough to cover their tracks.
How the mouse5212-super-formatter npm Package Steals Claude AI Files
According to OX Security researchers Moshe Siman Tov Bustan and Nir Zadok, the package — codenamed Malware-Slop — masquerades as an “archive deployment sync” utility that validates a GitHub repo, takes a “network status” snapshot, and syncs local workspace files to a remote tracking tree. What it actually does during the npm postinstall stage is authenticate to GitHub using either a token found in the victim’s environment or a hard-coded fallback token, then recursively upload every file from /mnt/user-data — the directory Anthropic’s Claude uses to handle uploads and outputs — to a threat-actor-controlled GitHub account. Stolen files are stashed in randomly named folders so the operator can separate one victim’s haul from another’s, while a fake “network connections” log throws off anyone watching the noise.
This matters because /mnt/user-data isn’t a random temp folder. It’s where users hand sensitive material to Claude: contracts, source code, customer exports, medical PDFs, anything they’re asking the model to reason over. A single compromised dev machine running this package can leak an entire workflow’s worth of confidential context into a stranger’s GitHub repo before the developer even closes their terminal tab. If you’re a consultancy using AI to process client deliverables, or a healthcare team feeding records into a model, the blast radius is exactly the data you were most careful about uploading.
The prediction here is grim and short: AI tool working directories are now first-class exfiltration targets, and we’ll see at least three more packages targeting /mnt/user-data or its equivalents in Cursor, Copilot, and Codex environments within the next quarter.
Why GitHub Is the New C2 Channel for Supply Chain Attacks
The attacker didn’t bother with a custom command-and-control server. They used the GitHub API as both their data store and their staging infrastructure, creating a repo on demand under the unplowed3584 account — which OX notes was registered on May 26, 2026, just hours before the first malicious version hit npm. The account is already gone, but the package itself is still downloadable from npm with roughly 676 downloads, though OX cautions it’s unclear how many of those represent real installs versus mirrors and scanners.
GitHub is allow-listed almost everywhere — corporate proxies, developer laptops, CI runners. Outbound traffic to API.GitHub.com rarely raises eyebrows. By turning a legitimate developer platform into the dead-drop, the attacker sidesteps the kind of network egress monitoring that would have caught a connection to a random VPS. For defenders building AI agents and automation pipelines that handle confidential inputs, this should change your threat model: your network DLP probably won’t see this leaving, because it looks identical to git push.
If you’re running a team that depends on third-party npm packages anywhere near sensitive data — say, an engineering org pulling in formatters or linters into the same workspace where you’re piping documents into Claude — the practical control is to scope GitHub tokens narrowly, never store them as plain environment variables on developer machines, and audit postinstall scripts before installation. npm install --ignore-scripts exists for a reason; it’s time more teams used it by default.
What Malware-Slop Reveals About AI-Generated Threat Actors
The most interesting detail in the OX writeup is not the attack mechanics — it’s the operational sloppiness. The package literally shipped the attacker’s own private GitHub token inside its source. That’s the kind of error that any human author writing malware professionally would have caught on the first read-through. OX Security’s read is direct: the bar to write malicious code has dropped, and we’re going to see more threat actors uploading sloppy malware that mimics APT groups “to get a slice of the cake until npm starts automatically blocking malware completely.”
That’s what generative AI does to the bottom of the threat-actor pyramid. It collapses the skill floor. Five years ago, writing a working npm exfiltration package required someone who understood Node module lifecycles, GitHub API auth flows, and how to obfuscate intent. Today, anyone with a chat window can produce a functional first draft — including the bugs and credentials the model happily echoes back into the output. Imagine you’re a security team triaging dependency alerts: you used to assume malicious packages came from a small pool of organized actors. Now your inbound risk includes hundreds of one-shot amateurs who don’t know what an environment variable is supposed to stay out of.
The counterintuitive consequence is that this generation of malware is easier to catch — leaked tokens, dead-give-away repo names, no anti-analysis — but there’s going to be vastly more of it. Detection economics flip from “find the needle” to “sift the flood.” Registries like npm will be forced into automated pre-publish scanning that mirrors the kind of safeguards the App Store has had for a decade. Expect npm to announce default scanning of postinstall scripts within the next year; the alternative is to keep being the soft underbelly of the JavaScript supply chain.
FAQ
Q: What is the mouse5212-super-formatter npm package?
A: It’s a malicious npm package flagged by OX Security on May 27, 2026 that disguises itself as a sync utility. During installation, it uploads files from Claude AI’s /mnt/user-data directory to a GitHub repository controlled by the attacker, using either a stolen environment token or a hard-coded fallback.
Q: How does Malware-Slop bypass network monitoring?
A: It uses the GitHub API as its exfiltration channel rather than a custom server. Because API.GitHub.com traffic is normal on developer machines and CI runners, most network egress monitoring tools won’t treat the upload as suspicious.
Q: Why does it matter that the attacker leaked their own GitHub token? A: It suggests the malware was generated with AI assistance by someone who didn’t follow basic operational security. OX Security argues this is a preview of a wave of low-skill, AI-assisted malware authors flooding package registries until automated defenses catch up.
Key Takeaways
- AI working directories like
/mnt/user-dataare now explicit exfiltration targets — assume any file you upload to a hosted model could be reached by a compromised dependency on the same machine. - Run
npm install --ignore-scriptsby default in any environment that touches confidential data or production credentials, and reviewpostinstallhooks before opting in. - Scope GitHub personal access tokens to the minimum repo set and rotate them frequently; treat them with the same care as cloud root keys, because attackers are already harvesting them from env vars.
- Network DLP built around blocking unknown destinations will miss this class of attack — extend monitoring to flag anomalous
git pushpatterns and unfamiliar repository creations under developer accounts. - Teams shipping AI-integrated software products should plan for npm and similar registries to introduce mandatory pre-publish malware scanning within the next 12 months, and design their build pipelines to gracefully handle the resulting friction.
- Expect a flood of sloppy, AI-generated malware mimicking APT tradecraft; the signal-to-noise ratio in dependency security alerts is about to get much worse before it gets better.