AI-Generated npm Malware Accidentally Exposes Threat Actor's Private GitHub Token
A malicious npm package named 'mouse5212-super-formatter' was discovered acting as an infostealer, targeting developers by exfiltrating files to a remote GitHub repository, with the attacker's hardcoded private token exposed.
A new wave of AI-generated malware is hitting the open-source software ecosystem, and this time, the attacker made a critical mistake that gave researchers a rare inside look at their operation. A malicious package named "mouse5212-super-formatter" was discovered on the npm registry, acting as an infostealer designed to quietly steal files from any developer who installed it. What made this case unusual was not just what the malware did, but what it accidentally revealed about the person behind it.
The package quietly disguised itself as a legitimate internal tool, presenting itself as an "archive deployment sync" utility. Beneath that cover, it was built to scan a specific directory on the victim's machine and upload every file it found directly to a remote GitHub repository. The malware reached 676 downloads before its true nature was uncovered, and it was still live on npm at the time of publishing.
Researchers at OX Security identified the package and published a detailed analysis of its behavior and inner workings. Their findings confirmed this was not a polished, sophisticated attack, but rather a sloppy piece of AI-generated code that exposed the attacker through their own careless mistakes. The most damning error was a hardcoded private GitHub token left inside the malware itself. This token belonged to the threat actor, not the victim, and it gave researchers the ability to trace the file exfiltrations in real time.
OX Security noted in a report shared with Cyber Security News that they observed around seven active exfiltration events in the threat actor's GitHub repository before it was taken down, most of which appeared to be tests run by the attacker during development. The threat actor's GitHub account was created just a few hours before the first malicious version was uploaded to npm. After the attack was discovered, the account was deleted. The brief timeline and careless inclusion of a private token strongly suggest the attacker was not a seasoned professional, but someone using AI tools to generate attack code without fully understanding what they were building.
Once installed, the malware authenticated to GitHub using either an environment token or the hardcoded fallback and checked whether a target repository existed, creating one if it did not. It then walked through the local "/mnt/user-data" directory recursively and uploaded every file it found using the GitHub Contents API. To avoid detection, it stored stolen files under a randomly generated folder name for each session, helping the attacker separate multiple theft runs from different victims. The malware also wrote a fake "network connections" log during execution, designed to make the activity look like routine diagnostics rather than data theft. Comments and commit messages inside the code were written in bland, technical language to reduce suspicion. The data itself was encoded in base64 during the exfiltration process, a basic obfuscation technique to disguise the outgoing content.
This case is a clear example of how threat actors are using AI to generate malware without understanding basic operational security concepts or safe coding practices. The bar to create functional malicious code has been significantly lowered, and the security community should expect to see more sloppy, AI-assisted malware campaigns in the months ahead. Attackers who use AI to build tools they do not fully understand are more likely to make mistakes like the hardcoded token seen here. However, even imperfect malware can cause real harm if it reaches enough users before being detected. Developers and security teams should remain cautious about packages with little history, few downloads, and no clear community backing.
If you installed the "mouse5212-super-formatter" package, OX Security recommends taking immediate steps to limit the damage. First, revoke any GitHub access tokens that may have been present in the affected environment. Second, treat all files in the "/mnt/user-data" directory as compromised and audit them carefully for sensitive data.