A malicious npm package named “mouse5212-super-formatter” was found stealing files from Anthropic’s Claude AI workspace by uploading them to a threat actor-controlled GitHub account. The package, dubbed Malware-Slop, disguises its activity as a sync utility, and it even leaked the attacker’s GitHub token while remaining available on npm. #mouse5212-super-formatter #Malware-Slop #Anthropic #Claude #GitHub #npm
Keypoints
- The npm package “mouse5212-super-formatter” contains information-stealing capabilities.
- It targets files in /mnt/user-data used by Anthropic’s Claude AI tool.
- The malware authenticates to GitHub during postinstall using a victim token or a hard-coded fallback token.
- Stolen files are uploaded to a threat actor-controlled GitHub account in randomly named folders.
- The package leaked the attacker’s private GitHub token and remains available for download on npm.
Read More: https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html