AI npm Malware mouse5212 Leaks Attacker’s Own GitHub Token

A malicious npm (Node Package Manager — the default package registry for the JavaScript ecosystem, hosting over 3.5 million packages) package named mouse5212-super-formatter was discovered by OX Security researchers Moshe Siman Tov Bustan and Nir Zadok targeting files in Anthropic's Claude AI platform — specifically the /mnt/user-data directory where Claude stores user-uploaded files and outputs — while simultaneously committing one of the most egregious OPSEC (operational security — practices threat actors use to avoid exposure) failures documented in recent npm supply chain attacks: the attacker hardcoded their own private GitHub token directly into the malware, exposing their identity and allowing researchers to observe seven active exfiltration sessions in real time before the account was deleted. The package accumulated 676 downloads before its removal from the npm registry following OX Security's disclosure.

// 01 npm Malware Technical Details: How mouse5212-super-formatter Worked

The mouse5212-super-formatter npm package presented itself as a utility for "archive deployment sync" — a description vague enough to attract downloads from developers working with deployment automation without raising immediate suspicion. The package's malicious payload, however, performed a highly specific attack:

Step 1 — Authentication. The package authenticated to GitHub using one of two mechanisms: a GitHub access token harvested from the victim's environment variables (commonly set in developer workstations and CI/CD pipelines), or a hardcoded fallback token belonging to the attacker themselves. The fallback token — the critical OPSEC failure — was embedded directly in the source code.

Step 2 — Repository setup. The malware checked for the existence of an attacker-controlled GitHub repository, creating it automatically if absent.

Step 3 — File enumeration and exfiltration. The package recursively walked the /mnt/user-data directory — the path used by Anthropic's Claude to store files uploaded by users and outputs generated during sessions — and encoded every file it found in base64 (a text encoding that allows binary files to be transmitted as text strings).

Step 4 — GitHub API upload. Encoded files were uploaded through the GitHub Contents API to the attacker's repository, stored under randomized folder names to separate exfiltration sessions.

The hardcoded attacker token was not a victim's credential — it belonged to the threat actor themselves. This single mistake transformed a one-way exfiltration tool into a two-way visibility window: OX Security researchers watched approximately seven exfiltration sessions in real time using the exposed token before the attacker deleted their GitHub account. Most sessions appeared to be the attacker testing the tool rather than targeting actual victims.

// 02 AI-Generated Malware: The "Malware-Slop" Pattern

OX Security classified mouse5212-super-formatter as malware-slop — a term for AI-generated malware code produced quickly by operators who rely on LLM (large language model — AI systems like GPT-4, Claude, or Gemini) coding assistants without fully understanding the output. Several indicators point to AI assistance in the package's development:

• The attacker's GitHub account was created in early May 2026, with the npm package uploaded within hours — a timeline inconsistent with manual malware development but consistent with AI-assisted code generation
• Code comments were deliberately written to appear innocuous and avoid static analysis flags, a technique AI tools apply when prompted to "write code that avoids suspicion"
• The fundamental OPSEC failure of hardcoding a personal token is characteristic of operators who do not fully understand the code they are deploying — a pattern common when AI tools generate code that the user does not audit before publication
• The attack architecture (GitHub API exfiltration) mirrors patterns common in LLM-generated "red team" tool examples

Researchers noted this reflects a growing 2026 trend: as AI coding tools lower the expertise threshold required to produce functional malware, the volume of low-quality, AI-assisted attacks is increasing even as individual attack sophistication decreases. The quantity increase matters operationally even when quality is low — npm maintainers cannot manually review every package upload at scale.

// 03 676 Downloads and Claude User File Targeting: Scope Assessment

The 676-download count before removal is relatively modest by npm scale — popular packages receive millions of weekly downloads. However, the targeting specificity matters more than the raw number: the malware specifically targeted /mnt/user-data, the path used by Claude's file-handling infrastructure. This suggests the operator may have been attempting to steal:

• Files users uploaded to Claude for analysis (documents, code, configuration files)
• Claude-generated outputs saved to disk
• Any credentials, tokens, or sensitive data inadvertently stored in Claude's user data path

The seven observed exfiltration sessions appeared to be operator testing runs rather than successful attacks against production Claude users, based on the repository structure observed before deletion. However, any developer or CI/CD system that installed mouse5212-super-formatter during its availability window should treat their Claude /mnt/user-data content as potentially compromised.

OX Security's recommended actions for affected users:

• Revoke all GitHub access tokens and regenerate them
• Treat all files in /mnt/user-data as potentially exfiltrated
• Review Git history for unauthorized commits or repository additions
• Audit cloud credentials (AWS, Azure, GCP) for unauthorized access

// 04 Who Is Affected

Any developer or CI/CD (Continuous Integration/Continuous Deployment — automated software build and test pipelines) pipeline that ran npm install mouse5212-super-formatter between early May 2026 and the package's removal following OX Security's disclosure should treat the installation as a confirmed compromise event.

The targeting specificity toward Claude's /mnt/user-data path means Anthropic Claude API integrators and developers building applications on Claude's infrastructure are the primary at-risk population. However, because the malware also searched environment variables for any GitHub token, any developer with a GitHub token in their environment who installed the package should rotate that token regardless of Claude exposure.

The npm package has been removed from the registry. Running npm ls mouse5212-super-formatter in affected projects will confirm whether the package was installed.

// 05 What You Should Do Right Now

• Audit your npm dependency tree. Run npm ls mouse5212-super-formatter or grep -r "mouse5212" package-lock.json in all JavaScript projects to confirm whether the package was installed. Check CI/CD build logs for any install of this package during the exposure window.

• Revoke and rotate all GitHub tokens. Any environment that had a GitHub personal access token set as an environment variable during the exposure window should treat that token as compromised. Revoke it immediately at github.com/settings/tokens and generate a replacement.

• Treat /mnt/user-data contents as compromised. If you run services that write to Claude's /mnt/user-data path or were affected by this package, notify downstream users whose files may have been exfiltrated.

• Review GitHub repository audit logs. Check for unexpected commits, new files, or API activity in repositories connected to the affected environment during May 2026.

• Enable npm audit in CI/CD. Add npm audit --audit-level=moderate to all pipeline stages. While npm audit does not catch novel malicious packages before they are flagged, it provides a baseline for known vulnerability detection and reinforces the habit of dependency review.

• Enable secret scanning on GitHub repositories. GitHub's secret scanning feature detects tokens and API keys accidentally committed to source code. Enable it across all organizational repositories to catch accidental credential exposure before it can be exploited.

// 06 Background: Understanding the Risk

The mouse5212-super-formatter incident is a single data point in a broader and accelerating 2026 npm supply chain threat landscape. A partial catalogue of related incidents from the same period illustrates the scale:

AI-generated malware proliferation — OX Security's analysis frames mouse5212 as representative of a new threat category: "malware-slop" produced by low-skill operators using AI coding tools. The group noted that as effort required to produce functional malicious code falls, researchers expect a rise in AI-assisted malware from less skilled actors. The entry barrier to npm supply chain attacks is now measurable in hours, not expertise.

SAP npm supply chain attack (April 2026) — Attackers compromised a maintainer account for SAP-related npm packages, inserting credential-stealing payloads that affected downstream enterprise JavaScript applications built on SAP integrations.

Shai-Hulud campaign — A multi-wave npm worm that propagated through dependency injection, affecting packages including those in the TanStack and AntV ecosystems, with Wave 4 producing packages that defeated provenance attestation checks.

DPRK npm malware (April 2026) — North Korean operators (UNC1069, Lazarus umbrella) compromised the axios npm package maintainer account through a fake Slack impersonation attack, distributing the WAVESHAPER.V2 RAT (Remote Access Trojan) to an estimated fraction of axios's 100-million-weekly-download user base for approximately three hours before removal.

The common thread across these incidents is that npm's architecture — open publishing, minimal verification, and transitive dependency chains that can run hundreds of packages deep — creates an attack surface that scales poorly against the volume of malicious packages that AI-assisted development now makes economically viable.

MITRE ATT&CK technique T1195.001 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools) and T1528 (Steal Application Access Token) describe the threat model. The npm attack surface sits at the intersection of both: compromising a dependency delivers malware that steals the victim's development credentials, enabling further supply chain attacks in a self-reinforcing cycle.

The irony of mouse5212-super-formatter — that an AI-generated attack tool exposed its operator through an AI-assisted coding mistake — does not diminish the risk. The 676 downloads represent 676 development environments where an attacker had read access to developer files and GitHub tokens. At scale, even low-quality AI malware causes real harm.

// 07 Conclusion

mouse5212-super-formatter is a case study in low-skill AI-generated npm malware: functionally sufficient to steal files and tokens, but operationally careless enough to expose the attacker. Developers who installed the package should rotate GitHub tokens, audit /mnt/user-data exposure, and review CI/CD pipeline logs immediately. At the strategic level, the incident reinforces that npm supply chain defense requires ecosystem-level controls — registry-side behavioral detection, mandatory provenance attestation, and dependency review in CI pipelines — because individual developer vigilance cannot scale to match AI-assisted malware volume.