Malicious npm Package Targets Anthropic Claude AI Data in New “Malware-Slop” Campaign
Malicious npm Package Discovered
Cybersecurity researchers at OX Security have uncovered a malicious package on the npm registry named “mouse5212-super-formatter” that includes information-stealing functionality.
The package specifically targets data stored in /mnt/user-data, a directory used internally by Anthropic Claude AI to manage uploads and generated outputs. Researchers have named the activity “Malware-Slop.”
How the Malware Works
The package masquerades as an internal “archive deployment sync” utility that appears to:
- Validate or initialize GitHub repositories
- Capture lightweight network diagnostics
- Synchronize local workspace files
However, analysis revealed that the package instead performs the following malicious actions during the postinstall phase:
- Authenticates to GitHub using either:
- A token found in the victim’s environment
- A hard-coded fallback token
- Creates a GitHub repository if one does not already exist
- Recursively uploads local files to attacker-controlled GitHub repositories
The malware stores stolen files in randomly generated folders to organize theft sessions while disguising its activity behind fake “network status” logging.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Targeting Anthropic Claude AI
Researchers say the malware is notable because it directly targets Claude AI’s working directories, suggesting attackers are increasingly focusing on:
- AI-generated content
- Uploaded documents
- Development artifacts
- API keys and secrets processed by AI tooling
The package’s focus on /mnt/user-data indicates awareness of Anthropic Claude’s backend workflow and storage behavior.
Poor OPSEC Suggests AI-Generated Malware
OX Security noted that the threat actor accidentally exposed operational details, including a private GitHub token associated with the campaign.
This has led researchers to suspect the malware may itself have been partially generated using AI tools, without proper operational security practices being implemented.
“Now that the bar to create malicious code was reduced significantly, we’re going to see more threat actors getting into the game,” OX Security warned.
Distribution and Current Status
- The malicious package remained available on npm at the time of reporting
- Estimated downloads: 676
- The associated GitHub account was created on May 26, 2026, shortly before the malware upload
- The GitHub account has since been removed
It remains unclear how many downloads resulted in successful installations.
Security Recommendations
Developers and organizations should:
- Avoid installing unknown npm packages, especially recently published ones
- Review package
postinstallscripts before deployment - Monitor outbound GitHub activity from developer workstations and CI/CD environments
- Restrict access tokens in environment variables where possible
- Use dependency scanning and software supply chain monitoring tools
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Sources: thehackernews.com, www.ox.security
Recent News
Critical GitHub Vulnerability Allowed Remote Code Execution via Single “git push”
Critical nginx-ui Flaw Under Active Exploitation Enables Full Server Takeover
React2Shell Exploited in Mass Credential Harvesting Campaign Targeting 700+ Hosts
EvilTokens Phishing Service Fuels Large-Scale Microsoft 365 Account Takeover Campaign
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
