Malicious npm Package Targets Claude AI User Directory in Supply Chain Attack

Security researchers at OX Security identified a malicious npm package specifically designed to steal files from Anthropic's Claude AI user directory. The package, mouse5212-super-formatter, represents a new evolution in supply chain attacks: malware targeting AI tool ecosystems while exhibiting clear signs of being AI-generated itself.

The malware targets /mnt/user-data, a dedicated directory Claude uses for handling file uploads and outputs. With 676 confirmed downloads before detection, the package demonstrates how quickly supply chain compromises can spread through open-source ecosystems. The actual number of successful installations remains unknown, but any compromise represents potential data exfiltration from AI-assisted development environments.

Attack Methodology: Disguised as Internal Utility

The malware presents itself as an internal 'archive deployment sync' utility during execution. OX Security researchers Moshe Siman Tov Bustan and Nir Zaduk reverse-engineered the attack chain, revealing a sophisticated multi-stage operation that activates during the postinstall phase—a standard npm package lifecycle hook that executes automatically after installation.

The attack sequence operates through three primary phases. First, authentication: the malware searches for GitHub access tokens in the victim's environment variables. If none exist, it falls back to a hard-coded token embedded in the package code. Second, repository preparation: it checks whether a target repository exists on the attacker's GitHub account, creating one if necessary. Third, exfiltration: the malware recursively uploads every file from the target directory to the attacker-controlled repository.

To mask its activity, the malware generates fake network diagnostic logs, creating the appearance of legitimate system monitoring. This misdirection attempts to explain network activity if discovered during incident investigation. Stolen files are organized into randomly named folders within the attacker's repository, allowing differentiation between multiple victim sessions.

AI-Generated Malware: The OPSEC Gap

The most significant aspect of this campaign isn't the technical sophistication—it's the evidence of AI-assisted malware creation coupled with amateur operational security. The GitHub account was created on May 26, 2026, just hours before the first malicious version appeared on npm. This timeline, combined with the embedded private token, indicates rushed deployment without proper security review.

The leaked GitHub token represents a critical mistake no experienced threat actor would make. Traditional malware development involves multiple review stages where such exposures would be caught. The absence of this review process suggests the malware was AI-generated and deployed with minimal human oversight—a pattern OX Security expects to accelerate.

Targeting AI Tool Directories: New Attack Surface

This attack reveals AI development tools as high-value targets for supply chain compromises. Claude's /mnt/user-data directory stores uploaded files and generated outputs—potentially including proprietary code, sensitive documents, API keys, configuration files, and intellectual property. Developers increasingly use AI assistants for code review, debugging, and generation, making these directories repositories of organizational knowledge.

The attack methodology is reproducible across other AI platforms. Similar user data directories exist in ChatGPT plugins, GitHub Copilot workspaces, and other AI development assistants. Threat actors now understand these directories represent concentrated collections of valuable data, making them attractive targets for future supply chain attacks.

Detection and Response Gaps

The package remained available on npm at the time of OX Security's disclosure, highlighting detection challenges in open-source registries. While the attacker's GitHub account was suspended, the delivery mechanism—the npm package itself—continued distributing malware. This gap between threat intelligence publication and registry remediation creates ongoing risk for organizations with automated dependency updates.

Traditional security controls struggle with postinstall script abuse. These scripts execute with the same permissions as the user running npm install, providing immediate access to the filesystem and environment variables. Standard endpoint detection may miss this activity if it appears similar to legitimate development operations—file access, network connections to GitHub, and repository operations are all normal developer behavior.

Immediate Mitigation Actions

• Audit installed packages: Search package.json and package-lock.json files for mouse5212-super-formatter across all development environments and CI/CD systems
• Review GitHub activity: Check organizational and personal GitHub accounts for unexpected repository creation between May 26-27, 2026, particularly repositories with random naming patterns
• Rotate GitHub tokens: Assume compromise of any GitHub personal access tokens in environments where the malicious package was installed, regardless of visibility into actual exfiltration
• Implement npm script restrictions: Configure npm to require approval for postinstall scripts using --ignore-scripts flag or package management policies
• Monitor AI tool directories: Establish file integrity monitoring on directories used by Claude, ChatGPT, Copilot, and similar AI development assistants
• Restrict environment variable access: Limit which processes can read sensitive tokens from environment variables, particularly in development containers and CI/CD runners

Long-Term Supply Chain Hardening

This incident demonstrates the inadequacy of reactive security measures for npm and similar registries. OX Security notes the volume of 'sloppy malware' will increase as AI eliminates technical barriers to malware creation. Threat actors with limited programming skills can now generate functional malware, mimicking APT techniques without understanding underlying implementation.

Organizations must implement proactive supply chain security controls. Dependency scanning should analyze postinstall scripts for suspicious patterns: GitHub authentication, recursive file operations, external data transmission, and environment variable enumeration. Software composition analysis tools need behavioral analysis capabilities, not just vulnerability matching against known CVEs.

The convergence of AI development tools and supply chain attacks creates compound risk. Developers using AI assistants to review or generate code may inadvertently introduce malicious dependencies suggested by compromised or poisoned AI models. Meanwhile, AI-generated malware targets these same AI tool ecosystems, creating a feedback loop of AI-enabled attack and AI-targeted compromise.

Strategic Implications

The Malware-Slop campaign signals a fundamental shift in threat landscape economics. Previously, creating effective malware required programming expertise, operational security knowledge, and infrastructure management skills. AI has eliminated the first requirement, enabling threat actors to generate functional malware through natural language prompts. The embedded GitHub token proves the second requirement—operational security—remains critical, but inexperienced actors won't recognize this until after compromise.

Expect increased attack volume with decreased average sophistication. Security teams should prepare for higher alert volumes from supply chain monitoring tools as more low-skill actors enter the ecosystem. The challenge shifts from detecting rare, sophisticated attacks to filtering massive numbers of crude but functional compromises. Detection strategies must scale accordingly, emphasizing automated behavioral analysis over manual threat intelligence correlation.

Registry operators face difficult choices. Complete automation of malware blocking, as suggested by OX Security, risks false positives that could disrupt legitimate packages. Manual review doesn't scale to the volume AI-generated malware will produce. The solution likely involves AI-powered defensive systems—using machine learning to detect AI-generated malicious code at registry submission time, before any downloads occur. Until registries implement such controls, organizational security teams bear responsibility for supply chain validation.