Malicious Npm Package Stole Files From Claude AI User Directory via GitHub

The npm ecosystem has long been a target for supply‑chain attacks, but the mouse5212‑super‑formatter case marks a new chapter where artificial intelligence accelerates the creation of malicious code. Researchers note that the low barrier to generating functional malware with AI tools enables threat actors to quickly produce packages that appear legitimate, slip past basic vetting, and reach developers worldwide. As open‑source components become integral to AI workloads, the attack surface expands, making it essential for registries to adopt automated scanning and reputation systems.

Technical analysis reveals that the malicious package masquerades as an "archive deployment sync" utility, but during the postinstall phase it harvests a GitHub access token from the victim’s environment—or falls back to a hard‑coded token—to authenticate with GitHub. It then checks for the existence of a repository, creates one if absent, and recursively uploads every file from Claude’s /mnt/user-data folder into randomly named directories on the attacker’s account. By fabricating a fake network‑connections log, the malware attempts to hide its exfiltration activity, illustrating a sophisticated blend of social engineering and code obfuscation.

For developers and security teams, the incident serves as a stark reminder to enforce strict dependency hygiene. Pinning exact package versions, employing provenance verification, and integrating runtime monitoring can mitigate the risk of hidden postinstall scripts. Meanwhile, npm and other registries must enhance their automated threat detection, possibly leveraging AI themselves to flag anomalous behavior before packages become publicly available. Proactive measures will be crucial to protect the burgeoning AI‑driven software supply chain from similar low‑effort, high‑impact attacks.