A newly discovered malicious npm package, "mouse5212-super-formatter," has been found to steal files from users of Anthropic's Claude AI. The package, disguised as a utility, exfiltrated data from the "/mnt/user-data" directory, which Claude uses for uploads and outputs. In a significant operational security blunder, the attacker also inadvertently leaked their own GitHub private token, allowing researchers to trace the theft.

Key Takeaways

• A malicious npm package named "mouse5212-super-formatter" targeted Claude AI users.

• The package stole files from the "/mnt/user-data" directory.

• The attacker leaked their own GitHub private token, aiding in the investigation.

• The incident highlights a potential rise in AI-generated, less sophisticated malware.

Malware's Deceptive Functionality

The "mouse5212-super-formatter" package presented itself as an internal "archive deployment sync" utility. Its post-install script was designed to authenticate with GitHub, create a repository if one didn't exist, and then recursively upload all files from a local workspace. To obscure its actions, the malware stored stolen files in randomly named folders and generated a fake "network connections" log, mimicking diagnostic activity.

The Critical Security Flaw

The most notable aspect of this attack was the threat actor's failure to implement basic operational security. The package contained a hardcoded GitHub access token, which belonged to the attacker. This token allowed researchers from OX Security to observe the data exfiltration process directly, revealing approximately seven theft sessions, many of which appeared to be tests conducted by the attacker.

A New Wave of AI-Assisted Threats

Researchers suggest that the ease with which this malware was created, potentially with AI assistance, indicates a lowering of the barrier to entry for threat actors. This could lead to an increase in "sloppy" malware that mimics more sophisticated groups. The GitHub account associated with the campaign was created just hours before the malicious package was uploaded to npm and was deleted shortly after the discovery.

Recommendations for Users

Developers who may have installed the "mouse5212-super-formatter" package are strongly advised to revoke any GitHub access tokens present in their environment. Furthermore, all files within the "/mnt/user-data" directory should be treated as compromised and thoroughly audited for sensitive information.

Sources

• Malicious npm Package Stole Files From Claude AI User Directory via GitHub, The Hacker News.

• AI-Generated npm Malware Leaks Its Own GitHub Token, Infosecurity Magazine.

• npm attacker foolishly leaks own GitHub private token, The Register.

• AI-Generated npm Malware Accidentally Exposes Threat Actor’s Private GitHub Token, CyberSecurityNews.

• Claude Code leak used to push infostealer malware on GitHub, BleepingComputer.