Cybersecurity researchers say they found a malicious npm package that was made to quietly grab files from Anthropic Claude AI user environments, then send that stuff straight to GitHub repositories the attacker controls. Kinda like it looked ordinary at first, but underneath it was doing the bad part, just without you noticing.
The package called mouse5212-super-formatter was dressed up as a utility tool that people might actually use. Meanwhile, in the background, it was doing unauthorized file collection and then data exfiltration. Investigators report the focus was the /mnt/user-data directory, which is a place often used by Claude AI for uploads, generated results, and those temporary workspace files, you know the kind.
In their write-up, the package seemed to behave like some internal deployment synchronization utility. But during installation, it apparently sneakily authenticated with GitHub, using either a token it located inside the victim’s environment or a hardcoded fallback token that was already baked into the malware. No big announcements, just silent access.
After that login step, it was reported that the malware checked whether a target GitHub repository already existed. If it didn’t, the package went ahead and created one, then started doing a recursive upload of files from the local machine into attacker-run repositories. Sort of like it was mirroring, except the destination was the adversary.
Researchers also noticed the usual “make it look normal” tricks. It generated fake network status logs, so the activity could look like harmless diagnostics while real transfers were happening off to the side. The stolen data was kept in randomly generated folders, too, which likely helped separate different victim sessions and made cleanup harder.
The campaign points toward a growing cybersecurity worry, around AI-related surroundings, developer tooling, and attacks against the software supply chain. As AI platforms become more and more baked into development workflows, adversaries start going after very specific bits like directories, tokens, and those temporary storage spots tied to the AI side of things, right?
Security researchers also mentioned questionable operational security on the threat actor’s part, like accidentally showing private GitHub token data right inside the malicious package itself. They think this kind of slip might suggest the attacker leaned on AI-assisted methods to spin up the malware in a faster, more automated way.
This incident is yet another reminder that open source ecosystems still get picked on a lot by cybercriminals. Developers are strongly encouraged to really check npm packages before installing anything, keep an eye on what dependencies actually do, skip unnecessary installs, and limit token permissions whenever you can.
Organizations with a cybersecurity focus, such as IntelligenceX, keep stressing software supply chain security, safe development environments, and proactive monitoring, especially as AI-driven attacks become a more common trend.
Top comments (0)