"Malware-Slop": Malicious npm Package Caught Stealing Files From Claude AI's User Directory via GitHub

-


Cybersecurity researchers at OX Security have uncovered a malicious package on the npm registry that specifically targets files stored in Anthropic's Claude AI tool directory. The campaign, dubbed Malware-Slop, centers around a package named mouse5212-super-formatter and represents a growing trend of AI-focused supply chain attacks carried out with low operational sophistication, but real consequences.

What the Package Does

On the surface, the package presents itself as an internal "archive deployment sync" utility, claiming to validate GitHub repositories and send network diagnostic information. In reality, it is a data theft tool with a very specific target: the /mnt/user-data directory, the dedicated folder that Claude AI uses to handle file uploads and outputs in the background.

The malicious behavior is triggered during the postinstall stage, meaning it executes automatically the moment a developer installs the package. At that point, the malware authenticates to GitHub using either a token found in the victim's environment variables or a hard-coded fallback token built into the package itself. It then checks whether a target repository already exists on an attacker-controlled GitHub account, creates one if it doesn't, and proceeds to recursively upload every file it can find in the Claude AI user directory to that remote repository.

To disguise its true purpose, the package writes a fake "network connections" log to give the impression it is only sending diagnostic information, while silently exfiltrating local data in the background. Stolen files are organized into randomly named folders on the attacker's GitHub account, allowing the operator to distinguish between different victims and theft sessions.

Scale and Current Status

The package has been downloaded approximately 676 times, though how many of those represent actual installations with real data exposure remains unclear. The attacker's GitHub account, which received all the stolen files was created on May 26, 2026, just hours before the first malicious version of the package was uploaded to npm. The GitHub account is no longer accessible, though the npm package itself remains available for download at the time of reporting.

A Sloppy Attacker Who Left the Door Open

One of the most notable aspects of this campaign is what it reveals about the attacker's operational security or lack thereof. The package inadvertently leaked the GitHub account's own private token in its code, effectively exposing the attacker's infrastructure to anyone who looked closely enough. This careless error points strongly toward the use of AI-generated malware, where the threat actor appears to have used an AI tool to write the malicious code without fully understanding or reviewing what was produced.

OX Security noted this as a defining characteristic of the emerging "Malware-Slop" threat category malware that is sloppy, poorly secured, and often mimics the style of more sophisticated APT campaigns without the tradecraft. As the barrier to creating functional malicious code continues to drop thanks to AI coding tools, security researchers expect a surge in this type of low-effort but potentially damaging supply chain attack.

What Developers Should Do

Anyone who has installed mouse5212-super-formatter should treat the Claude AI user directory contents as potentially compromised and rotate any credentials or tokens that may have been stored or processed there. Security teams should audit npm dependencies for recently added or unfamiliar packages and consider tools that monitor for suspicious postinstall script behavior.

Resources

Comments

Post a Comment

Popular posts from this blog

Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

-
Image
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises  CVE-2023-28432  (CVSS score: 7.5) and  CVE-2023-28434  (CVSS score: 8.8), the former of which was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023. The two vulnerabilities "possess the potential to expose sensitive information present within the compromised installation and facilitate remote code execution (RCE) on the host where the MinIO application is operational," Security Joes said in a report shared with The Hacker News. In the attack chain investigated by the company, the flaws are said to have be...
Read more

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more