A malicious npm package named mouse5212-super-formatter — apparently generated with AI assistance — was discovered stealing files from Claude AI users' local directories and uploading them to a GitHub repository. In an ironic twist, the attacker's poor operational security caused the malware to leak its own private GitHub token, fully exposing the exfiltration infrastructure. Researchers have codenamed the campaign Malware-Slop.
What Happened: A Supply Chain Attack Targeting AI Users
Researchers at OX Security uncovered the malicious package in the npm registry, where it had been downloaded 676 times before being flagged. The package specifically targeted the /mnt/user-data directory — a dedicated path used by Anthropic's Claude AI to handle file uploads, outputs, and session artifacts in the background.
Once installed, the package disguised itself as an internal "archive deployment sync" utility. It would then validate or initialize a GitHub repository on the victim's machine, capture a lightweight "network status" snapshot, and silently synchronize local workspace files — including any Claude AI session data — into a remote GitHub repository under the attacker's control. Stolen files were stored within randomly named folders to distinguish between different theft sessions.
"The script presents itself as an internal 'archive deployment sync' utility that validates or initializes a GitHub repository, captures a lightweight 'network status' snapshot, and then performs a structured synchronization of local workspace files into a remote tracking tree." – OX Security
The Attacker's Critical Mistake: Leaking Their Own Token
In a significant operational security (OPSEC) failure, the malware's own GitHub private token was embedded and exposed within the package code itself. This allowed researchers to directly trace the exfiltration activity and observe the attacker's repository before it was taken down. Approximately 7 active exfiltration sessions were recorded — most likely test runs conducted by the threat actor.
The self-defeating mistake strongly suggests that the attacker used an AI coding tool to generate the malware without fully understanding the security implications of embedding credentials directly in source code. This is a growing and dangerous pattern: the same AI tools democratizing software development are also lowering the barrier to entry for threat actors — but AI-generated code can introduce critical, self-defeating vulnerabilities.
Why Developers and AI Users Are High-Value Targets
The npm ecosystem processes millions of package installations daily, making it a prime vector for supply chain attacks. Developers working with AI tools like Claude are increasingly high-value targets because their machines may contain:
- API keys and access tokens for cloud services (AWS, GCP, Azure)
- Proprietary source code and unreleased business logic
- AI prompt histories and sensitive project context from sessions
- Credentials and secrets stored in
.envfiles - SSH keys and authentication certificates
Targeting the Claude /mnt/user-data directory specifically shows that threat actors are rapidly adapting to the AI-native developer workflow — recognizing that this path often contains sensitive documents uploaded for analysis, processed outputs, and session artifacts.
Defensive Actions: What to Do Now
The Malware-Slop campaign illustrates the convergence of two escalating trends: the democratization of malware development through AI, and the deliberate targeting of AI-native development environments. Organizations must treat developer workstations as high-value assets.
Whitesec AU recommends the following immediate actions:
- Audit your npm dependencies now. Use
npm audit, Socket.dev, or Snyk to scan your full dependency tree for suspicious packages. - Restrict outbound traffic from developer machines. Unexpected GitHub push connections originating from a
postinstallscript should trigger an immediate alert. - Rotate all credentials if you installed packages from unknown or unverified publishers in the past 30–60 days.
- Implement SBOM (Software Bill of Materials) — maintain a real-time inventory of every package in use across your projects and pipelines.
- Apply least privilege to dev environments. Sandbox development tooling so that installed packages cannot access arbitrary paths such as
/mnt/user-dataor~/.ssh. - Enable MFA and token scoping on GitHub. Limit the blast radius if a token is ever compromised or leaked.
The Bigger Picture: Rise of "Malware-Slop"
This incident is an early example of what researchers are calling Malware-Slop — AI-generated malicious code that is functional but operationally careless, full of self-defeating mistakes like embedded credentials and poor obfuscation. As AI coding models improve, expect future variants to be cleaner, better obfuscated, and without the OPSEC blunders that exposed this campaign.
Defenders must evolve their detection strategies beyond known-bad signatures. Behavioral monitoring — detecting anomalous file access, unexpected outbound connections during package installs, and post-install script execution — is the most effective mitigation for this class of threat. The supply chain is the new perimeter.