A newly discovered npm package, mouse5212‑super‑formatter, silently uploads files from Anthropic’s Claude AI workspace to a threat‑actor‑controlled GitHub repo. Researchers explain how the post‑install script abuses tokens, the scale of the threat, and steps to protect your supply chain.
)
A suspicious npm package is stealing AI workspace data
Security researchers at OX Security have identified a malicious npm module called mouse5212-super-formatter that silently harvests files from the directory /mnt/user-data – the location Claude, Anthropic’s large‑language‑model assistant, uses for temporary uploads and generated output. The module then pushes every file it finds to a GitHub repository owned by the attacker, disguising the activity as a harmless "archive deployment sync" utility.
"The script pretends to validate a GitHub repo and capture a lightweight network snapshot, but in reality it authenticates with a token and recursively uploads the victim’s workspace files," explained Moshe Siman Tov Bustan, senior threat analyst at OX Security.
The operation, internally codenamed Malware‑Slop, has already been downloaded ~676 times from the npm registry. It is unclear how many of those downloads resulted in successful installations, but the potential exposure of Claude‑generated data – which often contains proprietary prompts, code snippets, and even confidential documents – is significant.
How the package works
- Post‑install hook – When npm runs the
postinstallscript, the malicious code executes automatically. - Token harvesting – The script first looks for a GitHub personal access token (PAT) in environment variables such as
GITHUB_TOKENorGH_TOKEN. If none is found, it falls back to a hard‑coded token embedded in the package. - Repo creation – Using the token, the malware checks whether a repository with a random name exists under the attacker’s account. If not, it creates one via the GitHub API.
- Recursive upload – Every file under
/mnt/user-datais read and uploaded as a separate commit, placed in a randomly generated folder to separate theft sessions. - Cover‑track log – To mask its activity, the script writes a fake
network‑connections.logthat claims it is sending only diagnostic data.
The entire flow happens within seconds of the package being installed, leaving no obvious trace in the victim’s console output.
Why this matters for AI‑enabled development environments
Claude AI is increasingly embedded in development pipelines for code generation, documentation, and data analysis. Those pipelines often run on shared workstations or CI agents that have npm installed, making them prime targets for supply‑chain abuse. By stealing the contents of the Claude workspace, attackers can:
- Reconstruct proprietary prompts that reveal business logic or trade secrets.
- Extract generated code that may contain undisclosed vulnerabilities.
- Harvest any files inadvertently dropped into the workspace, such as configuration files or API keys.
The incident also highlights a broader trend: threat actors are leveraging AI‑generated code to accelerate malware creation, but they still slip up on basic OPSEC, as evidenced by the leaked private token.
Immediate mitigation steps
1. Audit recent npm installs – Run npm ls -g --depth=0 and look for mouse5212-super-formatter. If found, remove it with npm uninstall -g mouse5212-super-formatter and delete any lingering files under /mnt/user-data that you do not recognize.
2. Rotate GitHub tokens – Any PAT that may have been exposed should be revoked immediately. Generate new tokens with the principle of least privilege (read‑only where possible) and store them in a secret manager rather than environment variables.
3. Harden CI/CD pipelines –
- Use a dedicated, minimal Node runtime that does not automatically run
postinstallscripts. Add--ignore-scriptsto npm commands when installing third‑party tools. - Pin dependencies to exact versions and enable npm’s
auditandprotectfeatures. - Consider using a private proxy registry (e.g., Verdaccio) that mirrors only vetted packages.
4. Monitor file system activity – Deploy a host‑based intrusion detection system (HIDS) that can alert on unexpected reads of /mnt/user-data or outbound connections to api.github.com from development machines.
5. Review AI workspace permissions – Limit the directories that Claude can write to. If possible, configure the AI tool to use a sandboxed path that is not accessible to general‑purpose user accounts.
Longer‑term supply‑chain hygiene
- Enable npm’s
package-lock.jsonverification – Tools likenpm ciwill fail if the lockfile does not match the registry, reducing the chance of a malicious version slipping in. - Adopt SBOMs (Software Bill of Materials) – Maintaining an up‑to‑date SBOM lets you quickly identify which components are affected when a new threat is reported.
- Leverage automated scanning – Services such as GitHub Dependabot, Snyk, or OX Security’s own scanner can flag newly published packages that exhibit suspicious post‑install behavior.
- Educate developers – Regular training on supply‑chain risks, especially around AI‑assisted tooling, helps teams spot red flags like unusually permissive scripts or undocumented dependencies.
Looking ahead
The rapid emergence of AI‑generated malware means that the barrier to publishing malicious code is lower than ever. While npm and other registries are improving automated detection, the responsibility now rests heavily on developers and security teams to enforce strict vetting processes.
By treating every third‑party package as a potential attack vector—especially those that interact with AI workspaces—you can keep your code, your data, and your organization’s intellectual property safe.
For more details on the OX Security analysis, see their full advisory here.
Comments
Please log in or register to join the discussion