An npm Package Just Tried to Steal Your Claude AI Files — Then the Attacker Leaked His Own GitHub Token by Accident

A malicious npm package called “mouse5212-super-formatter” was discovered this week targeting Claude AI users specifically — designed to steal files from the exact directory Anthropic’s Claude uses to handle uploads, downloads, and code outputs. But here is the twist that makes this story both terrifying and absurd: the attacker appears to have used AI to write the malware, and in the process, accidentally leaked their own private GitHub token inside the malicious code. The attacker hacked themselves.

This incident, documented by OX Security researchers and reported by The Hacker News and The Register, represents a new category of supply chain attack: malware designed to target the growing ecosystem of AI coding tools. As millions of developers integrate Claude, ChatGPT, and other AI assistants into their workflows, the directories and data stores these tools use are becoming high-value targets for cybercriminals.

The npm Malware Discovery: mouse5212-super-formatter

Cybersecurity researchers at OX Security discovered the malicious package on the npm registry in late May 2026. The package, named “mouse5212-super-formatter,” was published as what appeared to be a legitimate code formatting utility — the kind of innocuous development tool that developers install without a second thought.

Under the surface, the package contained a sophisticated information-stealing payload. The script presented itself as an internal “archive deployment sync” utility that claimed to validate or initialize a GitHub repository, capture a lightweight “network status” snapshot, and perform a “structured synchronization” of local workspace files. In reality, every one of these described functions was a euphemism for data exfiltration.

The package reached 676 downloads before being flagged and removed from the npm registry. While 676 may sound small, each download potentially represents a developer whose entire Claude workspace — including all files processed by the AI assistant — was compromised.

Specifically Targeting Claude AI Users

What sets this malware apart from typical npm supply chain attacks is its specific targeting of Claude AI users. The package was designed to upload files from “/mnt/user-data” — the dedicated directory that Anthropic’s Claude uses to handle file uploads, downloads, and code/data outputs in the background.

This directory is significant because it contains everything a developer feeds to Claude: source code, configuration files, API keys, database schemas, environment variables, proprietary algorithms, and any other files shared during AI-assisted development sessions. For developers who use Claude Code or Claude’s file handling features extensively, this directory is essentially a mirror of their most sensitive project files.

The targeting is precise and intentional. The attacker knew exactly which directory to target and understood the Claude ecosystem well enough to craft malware that would silently exfiltrate data without triggering obvious alerts. This level of specificity suggests the attacker is either a Claude user themselves or has studied the tool’s architecture in detail.

The Attacker Leaked Their Own GitHub Token

In what researchers have called a spectacular operational security failure, the malware’s author accidentally embedded their own private GitHub token directly in the malicious code. This token — essentially a password that grants full access to the attacker’s GitHub repositories — was hardcoded into the exfiltration script.

OX Security researchers used this leaked token to trace the stolen files back to the attacker’s GitHub infrastructure. The GitHub account linked to the campaign was created on May 26, 2026 — just hours before the first malicious version was uploaded to npm — suggesting a hastily assembled operation with minimal planning for operational security.

The irony is almost poetic: a piece of malware designed to steal other people’s secrets was itself leaking its creator’s most sensitive credential. It is the cybercriminal equivalent of a burglar leaving their driver’s license at the crime scene. Researchers were able to analyze the attacker’s GitHub repositories, understand the full scope of the campaign, and potentially identify the threat actor — all because of a single hardcoded token.

AI-Generated Malware With Amateur OPSEC

Analysis of the malicious code strongly suggests it was generated using AI tools. The code exhibits telltale signs of AI-assisted development: clean structure, comprehensive error handling, overly descriptive variable names, and the kind of verbose commenting style that AI models produce but human malware authors typically avoid.

This raises a disturbing paradox that the cybersecurity community has been warning about: AI tools are making it easier for low-skill attackers to create sophisticated malware, but the same attackers lack the operational security knowledge to deploy it effectively. The technical quality of the code was professional-grade, but the operational execution was amateur-hour.

The Register aptly described the situation as “malware-slop” — a term coined by OX Security to describe AI-generated malicious code that is technically competent but operationally sloppy. The attacker could write functional data exfiltration code (or have an AI write it), but could not implement basic OPSEC practices like token rotation or credential separation.

676 Downloads Before Removal

The package accumulated 676 downloads before npm’s security team removed it. While this number is small compared to major npm packages that see millions of downloads, each download potentially represents a developer whose Claude workspace was compromised.

The damage potential per download is high. Developers using Claude often share highly sensitive materials with the AI assistant: proprietary source code, API credentials, database connection strings, deployment configurations, and intellectual property. All of this data, if present in the /mnt/user-data directory at the time of infection, would have been exfiltrated to the attacker’s GitHub repository.

The 676 download count also understates potential exposure because npm packages can be dependencies of other packages. If mouse5212-super-formatter was included as a dependency in any other package or project, the actual number of affected systems could be significantly higher than direct download counts suggest.

The Growing Trend of AI Tool Supply Chain Attacks

This incident is part of an accelerating trend of supply chain attacks targeting AI development tools and their ecosystems. In recent months, SudoFlare has covered multiple similar attacks: the Mini Shai-Hulud npm worm that hit 170+ packages including Mistral AI, the TrapDoor attack that poisoned npm, PyPI, and Crates.io simultaneously, and various VS Code extension hijacking campaigns.

AI coding tools represent a new and uniquely valuable attack surface. Unlike traditional development tools, AI assistants process vast quantities of sensitive data — every file shared, every code snippet analyzed, every API key accidentally pasted into a chat. The directories these tools use for data handling are essentially treasure troves of developer secrets, making them irresistible targets for attackers.

The attack surface is growing rapidly. As more developers adopt Claude Code, GitHub Copilot, Cursor, and other AI-powered development tools, the volume of sensitive data flowing through these tools increases proportionally. And the npm ecosystem — with its millions of packages and minimal publishing barriers — remains the most popular distribution channel for supply chain malware.

What Claude Users Should Do Right Now

If you have installed mouse5212-super-formatter or any package that depends on it, you should assume your Claude workspace has been compromised. Immediately revoke all GitHub access tokens, rotate any API keys or credentials that may have been present in files shared with Claude, and audit your /mnt/user-data directory for any unusual files or modifications.

More broadly, Claude users should adopt defensive practices for managing sensitive data in AI tool directories. Avoid storing persistent credentials, API keys, or secrets in directories that AI tools access. Use environment variables instead of hardcoded credentials in files you share with AI assistants. And regularly audit the packages in your development environment for unexpected or unfamiliar dependencies.

Anthropic has not publicly commented on this specific incident, but the company has been working on security hardening for Claude’s file handling infrastructure. Users should ensure they are running the latest version of any Claude tools and follow Anthropic’s security best practices for development workflows.

The npm Security Problem That Never Gets Fixed

This incident underscores a fundamental problem with the npm ecosystem that has persisted for years despite repeated high-profile incidents: anyone can publish packages with minimal verification, and there is effectively no pre-publication security scanning that catches malicious code before it reaches developers.

The npm registry serves as a critical piece of global software infrastructure, with millions of packages downloaded billions of times every week. Yet its security model remains largely reactive — malicious packages are removed after discovery, not prevented from being published in the first place. The 676 developers who downloaded mouse5212-super-formatter were essentially unprotected until external security researchers identified the threat.

Until the npm ecosystem implements meaningful pre-publication security scanning, verified publisher identities, and automated behavioral analysis of new packages, attacks like mouse5212-super-formatter will continue to succeed. The tools exist to do this. The question is whether the ecosystem has the will to implement them before the next AI-targeted supply chain attack reaches thousands instead of hundreds of developers.