A malicious npm package was designed to steal files from a directory used by Anthropic’s Claude AI environment to handle user uploads and outputs, according to research published Wednesday by OX Security.
The package, mouse5212-super-formatter, was published to npm and presented itself as a routine internal utility. OX Security researchers Moshe Siman Tov Bustan and Nir Zadok said the package instead functioned as an infostealer that read files from /mnt/user-data and uploaded them to GitHub.
OX named the activity “Malware-Slop,” a nod to what researchers described as sloppy attacker tradecraft. The most glaring mistake: the package included a hardcoded GitHub token, which helped researchers trace the exfiltration path.
Package posed as a sync tool
OX said the package disguised itself as an “archive deployment sync” utility. During the post-install stage, it tried to authenticate to GitHub using either a token found in the victim’s environment or a hardcoded fallback token.
Once running, the malware checked whether a target GitHub repository existed, created one if needed, walked the local directory recursively and uploaded files through the GitHub Contents API, according to OX. The stolen files were stored in randomly named folders, apparently to separate one theft session from another.
The malware also created a fake “network connections” log, which OX said appeared designed to make the activity look like routine diagnostics rather than file theft.
Claude file path
The target path is what makes the package stand out.
OX said the malware tried to upload files from /mnt/user-data, a directory associated with Claude’s handling of uploaded files and generated outputs. That could include documents, source code, drafts, datasets or other files users brought into an AI workspace.
While the package targeted /mnt/user-data and remained available from npm and was downloaded an estimated 676 times, it’s unclear how many installations of the package there were.
Sloppy malware, real risk
OX said it observed about seven active exfiltration sessions in the threat actor’s GitHub repository before the repository was taken down. The researchers said most of those sessions were probably the attacker’s own tests.
The GitHub account tied to the activity was created a few hours before the first malicious version was uploaded to npm on May 26, according to OX. The account was later deleted.
The exposed GitHub token also undercuts any suggestion of a sophisticated operation. OX framed the case as an example of how AI-assisted malware creation may allow less capable actors to ship working malicious code without understanding basic operational security.
Researchers note even a crude package can still steal sensitive files if it lands in the right environment.
Who is actually at risk?
The risk is narrow but real. This is not evidence of a Claude breach, and ordinary Claude users who did not install the npm package are unlikely to be affected.
The likely victims are developers or technical users who installed mouse5212-super-formatter in an environment where Claude-related workspace files were present. In the worst case, those files could include source code, customer data, API keys, internal research, contracts or unpublished work uploaded to Claude for analysis or drafting.
That makes the package less of a mass-user Claude scare and more of a developer supply-chain warning. AI workspaces now hold the same kind of sensitive material attackers already chase in code repositories, CI/CD systems and developer laptops. If a package install script can reach those files, they become part of the attack surface.
Treat AI workspace files as sensitive
OX recommended that anyone who installed mouse5212-super-formatter revoke GitHub access tokens and treat sensitive files in /mnt/user-data as compromised.
Security teams should also look for package installation activity tied to mouse5212-super-formatter, review GitHub token exposure, inspect unusual repository creation or file-upload activity and check whether AI-assisted development workflows have broader access to sensitive documents or source code than intended.
Research underscores that AI workspaces are becoming part of the developer attack surface. Files uploaded for summarization, coding help, analysis or drafting may be valuable enough to steal — especially when a package install script can reach them.
Photo by BoliviaInteligente on Unsplash
