A malicious npm package targeting Anthropic’s Claude AI leaked its author’s private GitHub token, allowing researchers to trace the theft. The breach raises GDPR, CCPA, and other compliance concerns for developers who unwittingly installed the package, and it highlights the need for stricter npm vetting and user‑side token hygiene.
)
What happened
On 24 May 2026 a package named mouse5212-super-formatter appeared in the public npm registry. Marketed as an internal "archive deployment sync" tool, the package actually scanned a Claude‑run workspace (the /mnt/user-data directory) and uploaded every file it could find to a GitHub repository owned by the attacker. The code used a hard‑coded fallback GitHub personal access token (PAT). When the package was executed, the token was printed to the console and later committed to the attacker’s own private repository, where it was discovered by OX Security researchers.
The researchers traced the token back to a brand‑new GitHub account that was created only hours before the first malicious version was published. After the leak was identified, the attacker deleted the account and the npm package was removed, but not before the package was downloaded 676 times. Each download potentially gave the attacker a copy of any Claude user files stored in the targeted directory.
Legal basis
- GDPR Art. 32 – requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Distributing malware through a public package registry is a clear failure of that duty.
- GDPR Art. 33 – obliges data controllers to notify the supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons. Companies using Claude and the compromised npm package must assess whether a breach occurred and, if so, report it.
- CCPA § 1798.150 – mandates that businesses disclose any unauthorized access to personal information and provide affected California residents with notice. If the stolen files contain personal data of California residents, the breach triggers CCPA notice requirements.
- NIST SP 800‑53 Rev. 5 (SI‑3, SI‑4) – while not a law, many U.S. federal contractors follow these controls for supply‑chain integrity. The incident demonstrates a lapse in the “Malicious Code Protection” control.
Impact on users and companies
| Affected party | What they face | Immediate steps |
|---|---|---|
| Claude users (developers, enterprises) | Potential exposure of source code, API keys, proprietary algorithms, and any personal data embedded in files. | Revoke all GitHub PATs that may have been used by Claude, rotate secrets, and audit the /mnt/user-data directory for unknown files. |
| npm | Reputation damage and possible regulator scrutiny for hosting malicious code. | Accelerate automated malware detection, consider mandatory security scans for new packages, and publish clearer guidelines for token handling. |
| GitHub | Abuse of its API and possible liability for facilitating token leakage. | Review token‑leak detection heuristics, issue guidance to developers on avoiding hard‑coded tokens, and consider rate‑limiting suspicious upload patterns. |
| Enterprises using Claude | Must assess whether GDPR‑protected personal data was exfiltrated, which could trigger breach notifications and fines of up to €20 million or 4 % of global turnover. | |
| California‑based users | May need to send CCPA breach notices, which can lead to statutory damages of up to $7,500 per incident if negligence is proven. |
What changes are needed
- Stricter npm vetting – npm should integrate static‑analysis tools that flag hard‑coded PATs and suspicious use of the GitHub Contents API. An automated block for packages that attempt to read environment variables named
GITHUB_TOKENwithout proper sanitisation would cut many low‑effort attacks. - Token hygiene for developers – Never embed PATs in source code. Use environment‑injected secrets and enable GitHub’s token‑scanning alerts (see the official documentation).
- Supply‑chain monitoring – Organizations should adopt Software‑Bill‑of‑Materials (SBOM) tools that alert when a newly installed dependency performs network calls to external APIs, especially authentication endpoints.
- Incident‑response playbooks – Update internal playbooks to include:
- Immediate revocation of any PATs that may have been exposed.
- Automated scans of workspace directories for unknown files after a suspicious npm install.
- A pre‑defined GDPR/CCPA notification workflow.
- Regulatory guidance – Data‑protection authorities may issue advisories reminding controllers that open‑source supply chains are in‑scope for Art. 32 security obligations. Companies should treat third‑party package registries as “processors” and obtain assurances of their security practices.
Bottom line
The npm‑based attack on Claude illustrates how a single careless line of code—hard‑coding a GitHub token—can turn an entire AI‑assisted development workflow into a data‑leak vector. Under GDPR and CCPA, both the package publisher and any downstream users may face substantial compliance liabilities. The incident should accelerate the adoption of automated supply‑chain scanning, stricter token management, and faster breach‑notification procedures across the software ecosystem.
Comments
Please log in or register to join the discussion