A malicious npm package named mouse5212-super-formatter was found stealing files from Anthropic’s Claude workspace directory on the npm registry in May 2026, with OX Security estimating the package had been downloaded 676 times.
KEY FACTS
- Package name mouse5212-super-formatter.
- Targeted data Files from /mnt/user-data, which Claude uses for uploads and outputs.
- Method It used the postinstall stage to reach GitHub and upload local files.
- Cover story The code posed as an internal sync utility and wrote fake network logs.
- Infrastructure The linked GitHub account was later unavailable and was created on May 26, 2026.
In a technical analysis, researchers said the package authenticated to GitHub during installation by using a token from the victim’s environment or a hard-coded fallback token. If a target repository did not exist, it created one and then recursively uploaded every file to an attacker-controlled GitHub account.
The stolen files were placed in randomly named folders to separate theft sessions. The package also wrote a fake network-connection log to make the activity look like routine diagnostic traffic, while hiding the unauthorized transfer of local data.
The report said the package remained available on npm and that the linked GitHub account leaked its own private token, suggesting weak operational security. OX Security said the finding may reflect a wider trend of attackers using AI to generate sloppier malicious code.
WHY IT MATTERS
The case shows how a package from a public software registry can be used to siphon data from developer or AI workspaces during installation. It also highlights the risk of supply chain abuse when malicious code blends file theft with routine setup steps.