A malicious npm package named mouse5212-super-formatter spent at least 24 hours on the public registry silently stealing files from Anthropic's Claude AI tool before researchers at OX Security pulled back the curtain — and found the attacker had left their own private GitHub authentication token sitting in the source code in plain sight. The campaign, dubbed "Malware-Slop" by OX Security researchers Moshe Siman Tov Bustan and Nir Zadok, is a textbook example of what happens when a threat actor uses AI to generate attack code they do not fully understand: the malware worked, but the attacker's own operational security (OPSEC — the practice of preventing your adversary from learning who you are and how you operate) was so catastrophically poor that researchers traced them in real time before the account was deleted.
// 01 npm Malware Technical Analysis: What mouse5212-super-formatter Did
npm (Node Package Manager) is the world's largest software registry, used by millions of developers daily to download reusable JavaScript and Node.js code libraries. Installing a package is a single command — npm install <package-name> — which makes the ecosystem an attractive delivery mechanism for malware. Attackers publish packages that look legitimate, then wait for developers to install them.
mouse5212-super-formatter presented itself as an "archive deployment sync" utility — a vague, credible-sounding description unlikely to raise immediate suspicion. The malicious behaviour was triggered by a postinstall hook: a script field in a package's package.json that npm automatically executes immediately after the package is installed, before the developer has written a single line of their own code. There is no additional prompt or confirmation; the command runs silently.
The postinstall script performed a recursive walk of the /mnt/user-data directory — the directory that Anthropic's Claude AI tool uses to store file uploads, outputs, and session data. Every file discovered was read, encoded in base64 (a text-safe encoding scheme that converts arbitrary binary data into printable ASCII characters, commonly used to pack file contents into HTTP requests), and uploaded to an attacker-controlled GitHub repository via the GitHub Contents API (a REST endpoint that allows creating or updating files in a GitHub repo programmatically using an HTTP PUT request). Files were organised into unique folders per execution, meaning each victim's data was cleanly siloed in the attacker's repo.
This maps directly to four MITRE ATT&CK techniques — the industry-standard framework for categorising adversary behaviours:
- T1195.002 — Compromise Software Supply Chain: introducing malware into a trusted software distribution channel (npm) before it reaches the end user.
- T1020 — Automated Exfiltration: the malware automatically transmitted all discovered files without any manual attacker intervention after installation.
- T1567.001 — Exfiltration Over Web Service: Exfiltration to Code Repository: using GitHub's own API as the data-exfiltration channel, a method that blends into normal developer traffic and often bypasses outbound firewall rules that block dedicated C2 (command-and-control) infrastructure.
- T1027 — Obfuscated Files or Information: base64 encoding was used to wrap file contents for transport, making the data opaque to casual log inspection.
The attack flow looked like this:
%% caption: mouse5212-super-formatter attack flow — 676 downloads, May 26–27 2026
sequenceDiagram
autonumber
participant DEV as Developer<br/>(npm install)
participant PKG as mouse5212-super-formatter<br/>(postinstall hook)
participant FS as Victim Filesystem<br/>/mnt/user-data (Claude AI files)
participant GH as GitHub Contents API<br/>(attacker repo: unplowed3584)
participant OX as OX Security<br/>(static analysis)
DEV->>PKG: npm install mouse5212-super-formatter
Note over DEV,PKG: 676 downloads before removal;<br/>package published May 26 2026
PKG->>FS: Recursive walk of /mnt/user-data
Note over PKG,FS: All file types targeted;<br/>Claude AI upload/output directory
FS-->>PKG: File contents returned
PKG->>GH: PUT /repos/unplowed3584/…/contents/<br/>(base64-encoded file, unique folder per run)
Note over PKG,GH: Authenticated with hardcoded plaintext<br/>GitHub token — no obfuscation
Note over GH: Attacker account created hours<br/>before package publish; ~7 test sessions visible
OX->>PKG: Static analysis of package source
OX->>GH: Token found → live repo access granted
Note over OX,GH: OX researchers access attacker's repo<br/>in real time; account: unplowed3584
GH-->>OX: ~7 exfiltration sessions visible
Note over OX: OX publishes blog May 27;<br/>GitHub account deleted; npm package removed
// 02 The GitHub Token Self-Own: How Researchers Traced the Attacker
The defining feature of this campaign — and the element that elevated it from a routine npm malware incident to a story worth studying — is what OX Security found during static analysis of the package source.
A GitHub personal access token (PAT — a credential string that grants programmatic access to GitHub's API on behalf of a user account) was hardcoded in the JavaScript source in plain, unencoded text. Not base64-encoded. Not split across variables. Not retrieved from a remote URL at runtime. Just a raw credential string sitting in the source file, readable by anyone who extracted the package tarball.
Hardcoding credentials in source code is a well-known anti-pattern that even junior developers are taught to avoid. Every major code scanning tool, from GitHub's own secret scanning to Semgrep to trufflehog, flags it immediately. The fact that it was not even lightly obfuscated suggests the author either did not review the code they deployed or did not understand that the token would be visible to anyone who downloaded the package.
OX Security researchers used that token to authenticate to the GitHub Contents API and inspect the attacker's repository in real time. What they found was damning:
- The attacker's GitHub username:
unplowed3584 - Account age: created only hours before the npm package was published on May 26, 2026 — a clear indicator of a throwaway account with no prior history
- Approximately seven active exfiltration test sessions were visible in the repo, meaning the attacker had already run the malware themselves to verify it worked
After OX Security published their disclosure blog post on May 27, 2026, the unplowed3584 GitHub account was deleted — confirming the attacker was monitoring for exposure. The npm package remained live at the time of initial disclosure, accumulating its final download count before eventual removal following public pressure.
// 03 AI-Generated Malware and the "Malware-Slop" Problem
OX Security coined the campaign name "Malware-Slop" as a direct reference to "AI slop" — the colloquial term for low-quality, generic content produced by large language models without meaningful human review. The name is apt.
The hardcoded token mistake is precisely the kind of error made by someone who prompted an AI assistant to write attack code, reviewed the output superficially to confirm it functioned, and then deployed it without understanding the underlying mechanisms. An attacker who genuinely understood the code they were using would immediately recognise that a plaintext credential in a publicly downloadable package is equivalent to publishing their own identity alongside the malware.
The generic, bland code comments visible in the package source — stylistically consistent with AI-generated code — reinforced the assessment. As OX Security stated in their research: "this is a good example showing how some threat actors are using AI to generate malware without understanding basic opsec concepts and best practices."
The irony is layered. The attacker targeted Claude AI's file directory specifically — meaning they may have been using one AI tool (an LLM code assistant) to build malware targeting users of another AI tool (Anthropic's Claude). The toolchain that enabled the attack also undermined it: AI assistance lowered the barrier to writing functional malware code but also produced the credential-leak error that collapsed the attacker's anonymity within 24 hours of publication.
This is a growing pattern. The Hacker News coverage of this incident notes the broader trend of threat actors using AI code generation to scale malware production without scaling their expertise — producing higher volumes of functional-but-sloppy npm malware that trades operational security for speed.
// 04 Who Was Targeted and How Many Were Affected
The targeting of /mnt/user-data is precise and deliberate. This is the directory Anthropic's Claude desktop application uses on Linux-based systems for file uploads and model outputs — the files a user has explicitly shared with the AI assistant during a session. Successful exfiltration could expose documents, code, configuration files, or any other material a user fed into a Claude session.
The practical victim pool is developers running Claude on Linux systems — a demographic that overlaps substantially with the same developers who install npm packages. Targeting both attack vectors (Claude's file store and the npm ecosystem) in the same campaign is not coincidental: these users are likely to have sensitive technical material in their /mnt/user-data directory.
The package recorded 676 downloads before removal. Not every download represents a successful exfiltration — the target directory would only exist on systems with Claude installed and the package would only run on install — but any developer who ran npm install mouse5212-super-formatter on a system where Claude AI was present should treat the contents of their Claude session data as compromised.
The approximately seven test sessions OX Security observed in the attacker's repo represent the attacker's own validation runs. The number of genuine victim exfiltrations from the 676 installs is not publicly known.
// 05 What You Should Do Right Now
If you work with npm packages, run Node.js tooling, or use Anthropic's Claude on a Linux system, take the following steps immediately:
- Audit recent npm installs. Review your project's
package-lock.jsonornpm listoutput formouse5212-super-formatter. If it appears, treat the system as compromised and initiate an incident response process.
- Check
/mnt/user-dataexposure. If you have Claude AI installed on Linux, inventory the files in that directory. Assume any files present at the time of amouse5212-super-formatterinstall were exfiltrated to the attacker's (now-deleted) GitHub repo.
- Enable postinstall script auditing. Add
ignore-scripts=trueto your.npmrcfor projects that do not require postinstall hooks, or usenpm install --ignore-scriptsby default and selectively enable scripts only for packages you have reviewed. This is the single most effective control against this attack class.
- Run secret scanning on your own codebases. Tools like
trufflehog,gitleaks, and GitHub's built-in secret scanning will catch hardcoded credentials before they reach production — and would have caught this attacker's mistake too, had they used them.
- Treat new or obscure npm packages with elevated scrutiny. Before installing any package with a low download count and no established history, examine its
package.jsonfor lifecycle scripts (preinstall,install,postinstall) and review the source. A package published by a brand-new account with vague utility claims is a red flag.
- Consider a software composition analysis (SCA) tool in your CI/CD pipeline. SCA tools — such as those offered by OX Security, Snyk, or Socket.dev — perform automated analysis of third-party packages before they enter your dependency tree, flagging suspicious postinstall scripts and known-malicious packages before a developer runs
npm install.
// 06 Background: Supply Chain Attacks via npm
The npm registry has been a recurring target for supply chain attackers — adversaries who compromise the software distribution pipeline rather than attacking end users directly — because a single malicious package can execute code on thousands of machines with no further interaction beyond a routine npm install.
This is not the first time a supply chain attack (an attack that poisons a trusted distribution channel — a software registry, a package mirror, or a CI/CD pipeline — to reach downstream consumers) has targeted the npm ecosystem. Our earlier coverage of the SAP npm "Mini Shai Hulud" supply chain campaign documented a similarly targeted attack against SAP development environments, and the Megalodon GitHub CI/CD backdoor campaign demonstrated how attackers are increasingly targeting the GitHub Actions pipeline as an adjacent vector. AI tool users have also been targeted directly: the MacSync stealer campaign used Google Ads to push fake Claude AI installers containing macOS malware.
What distinguishes Malware-Slop is the combination of three factors: the deliberate targeting of AI assistant file stores (a relatively new and data-rich attack surface), the use of AI to generate the malware itself (lowering attacker skill requirements), and the catastrophic OPSEC failure that resulted from that AI-assisted approach. Together, they illustrate a trajectory worth watching: as AI code generation lowers the barrier to writing functional malware, it simultaneously introduces new classes of attacker error — and those errors create investigative opportunities for defenders.
npm has not issued a public statement about the incident. The package was removed from the registry after OX Security's public disclosure on May 27, 2026.
// 07 Conclusion
mouse5212-super-formatter achieved its core objective — 676 downloads, file exfiltration from Claude AI sessions — and then collapsed under the weight of its own sloppiness. The attacker used AI to generate working npm malware targeting a high-value data store, but deployed it with their own authentication credentials sitting in the source code, unobfuscated, waiting to be found. OX Security found them in less than 24 hours.
The operational lesson for defenders is immediate: postinstall hook abuse is trivial to execute and equally trivial to prevent with --ignore-scripts. The strategic lesson is longer-term — AI-assisted malware development is here, it produces functional attack code, and it also produces the kind of elementary OPSEC failures that turn attackers into case studies. The question is whether your organisation detects the malware before or after the files leave the machine.
Subscribe to our weekly threat digest for supply chain attack coverage, or see our guide to SCA tooling and CI/CD pipeline hardening for the next step in locking down your dependency pipeline.