Malicious npm Package Caught Stealing Claude User Data to GitHub
Around 15:49 UTC on 27 May, security researchers disclosed that a malicious npm package named "mouse5212-super-formatter" had been exfiltrating files from Claude AI users’ /mnt/user-data directories to attacker-controlled GitHub repositories. The package abused npm postinstall scripts and hard-coded GitHub tokens.
Key Takeaways
- On 27 May around 15:49 UTC, a malicious npm package "mouse5212-super-formatter" was reported stealing files from Claude AI users.
- The malware targeted the /mnt/user-data directory, uploading contents to GitHub via hard-coded tokens during npm postinstall.
- The incident underscores risks from supply-chain attacks in open-source ecosystems.
- Developers using Claude-integrated environments are urged to audit dependencies and remove the compromised package.
- The case highlights the need for stricter controls on script execution and credential management in development workflows.
At approximately 15:49 UTC on 27 May 2026, public reports emerged detailing a significant supply-chain compromise involving the npm ecosystem and users of Claude AI. The malicious package, named "mouse5212-super-formatter," was discovered to be exfiltrating user files from /mnt/user-data directories and uploading them to attacker-controlled GitHub repositories.
The package masqueraded as a benign formatting or utility tool, likely aiming to blend in with the vast number of similar development dependencies on npm. Upon installation, it leveraged npm’s postinstall scripting capability, which allows packages to execute arbitrary code automatically after being installed. In this case, the postinstall script traversed the /mnt/user-data directory—typically used in Claude-integrated environments to store user content, prompts, and other artifacts—and bundled selected files for transmission.
The exfiltration mechanism relied on hard-coded GitHub access tokens embedded in the package’s code. Once executed, the script established outbound connections to GitHub and pushed the harvested data into repositories controlled by the attacker. This approach enabled stealthy data theft under the guise of legitimate developer tooling, potentially affecting a wide swath of users who installed the package as part of broader dependency bundles without close inspection.
The incident underscores the systemic risk posed by software supply-chain attacks in open-source environments. Many development teams depend on large trees of third-party packages, often with transitive dependencies they do not directly track. A single malicious component, especially one with access to powerful script hooks like npm’s postinstall, can compromise sensitive codebases, configuration files, secrets, and user data.
For organizations integrating Claude AI into their workflows, the targeting of /mnt/user-data is particularly concerning. That directory may contain:
- User prompts and conversation histories.
- Proprietary documents or datasets fed into AI workflows.
- Configuration files or logs that might reveal internal system architecture.
The compromise therefore has both privacy and intellectual property implications. Even if the initial scope of adoption for "mouse5212-super-formatter" was limited, the nature of the targeted directory suggests the attacker had a clear understanding of Claude’s typical deployment environment and data layout.
This episode joins a growing list of incidents where package managers have been used as entry points for data theft and malware delivery. Attackers increasingly exploit the trust developers place in widely used registries, publishing malicious packages with names similar to popular libraries or inserting backdoored versions into legitimate maintainers’ accounts.
Outlook & Way Forward
Immediately, developers and organizations should audit their npm dependency trees for any reference to "mouse5212-super-formatter" and remove the package wherever found. Systems that installed it should be treated as potentially compromised: incident response teams should examine logs for outbound connections to GitHub from build environments, check for unauthorized repositories, and assess whether sensitive data in /mnt/user-data may have been exposed.
In the medium term, this incident is likely to accelerate moves toward more rigorous supply-chain security practices. These may include:
- Enforcing stricter policies around the use of lifecycle scripts (install, postinstall) in high‑sensitivity environments.
- Implementing allowlists for approved packages and versions, combined with continuous monitoring for unexpected dependencies.
- Using tools that analyze and sign software components, verifying integrity and provenance before they are allowed into production pipelines.
For the broader AI ecosystem, the attack highlights the need to treat AI-specific data directories—like Claude’s /mnt/user-data—as high-value assets subject to strict access control and monitoring. Architectural changes that isolate such directories from generic development tooling, along with fine-grained permissions for CI/CD systems, could reduce the blast radius of similar attacks. Stakeholders should also advocate for stronger vetting and automated scanning of packages on major registries, as well as rapid takedown and disclosure mechanisms when compromises are detected.
Sources
- OSINT