An npm package named “mouse5212-super-formatter” targeting Claude users acted as an information stealer. The malware reached 676 downloads before removal from the npm registry. It leaked its own GitHub private token, enabling OX Security researchers to trace stolen files and analyze the malware. Researchers reported that the creator tested stealing capabilities on a separate repository shortly before uploading the first malicious version. The GitHub account was deleted after the attack. All versions of the package were affected. Users who installed it should revoke GitHub access tokens and assume unusual files in “/mnt/user-data” were compromised. The stealer authenticated to GitHub, checked or created a target repository, recursively walked a local directory, and uploaded files via the GitHub Contents API, storing them in random per-run folders.
"An npm-slop package “mouse5212-super-formatter” targeting Claude users and acting as a stealer reached 676 downloads before being removed from the registry - and after making a major vibe coding blunder. The AI-generated malware leaked its own GitHub private token, thus allowing OX Security researchers to trace the stolen files and analyze the malware before issuing this warning: “We're going to see more threat actors getting into the game - uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely.”"
"According to researchers Moshe Siman Tov Bustan and Nir Zadok, the sloppy code writer created their GitHub account earlier this month, just hours before uploading their first malicious version to npm and shortly after testing out the information-stealing capabilities on a “test” repository. The GitHub account was deleted after the attack. All versions of mouse5212-super-formatter are affected, according to the threat hunters, so if you installed it, immediately revoke your GitHub access tokens and assume any unusual files in the “/mnt/user-data” directory have been compromised."
"The storage directory that Anthropic's AI coding tool Claude uses to handle file uploads, downloads, and code/data outputs. The script purports to be an internal “archive deployment sync” utility that validates a GitHub repository, captures a “network status” snapshot, and then synchronizes local workspace files with a remote tracking tree. In reality, however, it's a stealer. “It authenticates to GitHub (using an environment token or a hardcoded fallback), checks whether a target repository exists, creates it if needed, then recursively walks a local directory and uploads every file through the GitHub Contents API,” Bustan and Zadok wrote."
"It stores the stolen files under random per-run folder. The script purports to be an internal “archive deployment sync” utility that validates a GitHub repository, captures a “network status” snapshot, and then synchronizes local workspace files with a remote tracking tree. In reality, however, it's a stealer. “It authenticates to GitHub (using an environment token or a hardcoded fallback), checks whether a target repository exists, creates it if needed, then recursively walks a local directory and uploads every file through the GitHub Contents API,” Bustan and Zadok wrote."
#npm-malware #github-token-theft #claude-mntuser-data-compromise #information-stealer #supply-chain-attack
Read at theregister
Unable to calculate read time
Collection
[
|
...
]