Malicious npm Package Targets Claude AI User Data Directory in Supply Chain Attack
Researchers discovered a malicious npm package, 'mouse5212-super-formatter,' that exfiltrates files from Anthropic Claude's dedicated user data directory to a threat actor-controlled GitHub account.
A new supply chain attack targeting the npm registry has been uncovered, with a malicious package designed to steal files from users of Anthropic's Claude AI tool. Discovered by researchers at OX Security, the package named 'mouse5212-super-formatter' specifically targets the `/mnt/user-data` directory, which Claude uses to handle uploads and outputs in the background. The campaign has been codenamed Malware-Slop by the researchers.
The malicious package operates by masquerading as an internal 'archive deployment sync' utility during its postinstall stage. According to OX Security researchers Moshe Siman Tov Bustan and Nir Zadok, the script authenticates to GitHub using either a victim's environment variable containing a GitHub access token or a hard-coded token as a fallback. It then checks whether a target repository exists, creates one if needed, and recursively uploads every file from the victim's Claude data directory to a threat actor-controlled GitHub account.
To evade detection, the malware writes a fake 'network connections' log that gives the impression it is sending diagnostic information, while obscuring its true behavior of unauthorized file collection and remote transfer. The stolen files are stored within randomly named folders in the attacker's GitHub repository, allowing the operator to distinguish between different theft sessions. The package remains available for download on npm and has been downloaded approximately 676 times, though how many of those represent actual installations is unclear.
Notably, the threat actor behind the campaign appears to have made operational security mistakes. The GitHub account linked to the attack, created on May 26, 2026—just hours before the first malicious version was uploaded—leaked its private token, exposing the attacker's identity. OX Security noted that this sloppiness suggests the malware may have been generated with the help of AI, lowering the barrier for entry into cybercrime.
'Now that the bar to create malicious code was reduced significantly, we're going to see more threat actors getting into the game—uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely,' OX Security said. The incident highlights the growing risk of supply chain attacks targeting AI tool ecosystems, as developers increasingly integrate AI assistants into their workflows.
The attack underscores a broader trend of adversaries exploiting the popularity of AI tools to compromise developer environments. By targeting Claude's dedicated data directory, the malware specifically aims to steal sensitive information processed by the AI assistant, including code snippets, configuration files, and potentially proprietary data. Organizations using Claude in development pipelines should review their npm dependencies and monitor for unauthorized GitHub repository access.