thehackernews.com web signal

npm Malware Exfiltrates Claude AI Files to GitHub

anthropic cybersecurity ai-supply-chain cybersecurity

Key insights

  • The package targeted Claude Code's '/mnt/user-data' directory specifically, marking the first supply-chain attack designed for AI development tool environments.
  • Poor attacker OPSEC exposed a private GitHub token embedded in the payload, aiding attribution after 676 downloads had already occurred.
  • The 'Malware-Slop' campaign establishes a replicable template for AI-native registry attacks targeting specific tool directories rather than generic developer dependencies.

Why this matters

Anthropic's Claude Code now has a documented attack surface in npm's registry, meaning every developer who installs unchecked packages into a Claude environment carries real file exfiltration risk. The precise targeting of '/mnt/user-data' demonstrates that adversaries are mapping AI tool architectures deliberately, building attacks around specific product internals rather than sweeping opportunistically for credentials. Security teams at AI-native companies must treat their LLM tool ecosystems as first-class attack surfaces requiring dedicated supply-chain controls, not just standard dependency audits.

Summary

A malicious npm package has been caught stealing files from Claude Code installations, the first documented supply-chain attack built specifically to target Anthropic's AI tool environment. The package, 'mouse5212-super-formatter,' was downloaded 676 times before discovery. It targeted the '/mnt/user-data' directory used by Claude Code and uploaded stolen contents to a GitHub repository via a hard-coded token. Poor attacker OPSEC, specifically a private GitHub token embedded inside the payload itself, accelerated attribution. The GitHub account behind the campaign was created just hours before the package appeared on npm on May 26, 2026. Essentially: (Anthropic, npm ecosystem) this attack establishes a new AI-native threat class targeting Claude Code's file-handling environment rather than generic developer dependencies. - The '/mnt/user-data' directory was targeted precisely, making this surgical against Claude Code users rather than opportunistic. - The attacker's leaked private token aided investigator attribution, but only after 676 downloads had already occurred. - The campaign, dubbed 'Malware-Slop,' signals that low-effort, AI-tooling-specific attacks are now a repeatable template. Supply-chain threats have found a new attack surface: the file-handling environments of AI coding tools.

Potential risks and opportunities

Risks

  • Claude Code users who installed the package between May 26 and takedown may have had sensitive project files, API keys, or private configs uploaded to the attacker's GitHub repository before the token was rotated
  • Other threat actors can replicate the 'Malware-Slop' template with better OPSEC within 30 to 60 days, extending targeting to other AI coding tools such as Cursor or GitHub Copilot Workspace
  • npm registry maintainers face escalating pressure from enterprise customers including Anthropic to implement AI-tool-specific package scanning before similar campaigns proliferate across the Claude, Copilot, and Gemini CLI ecosystems

Opportunities

  • AI supply-chain security vendors (Socket.dev, Chainguard, Snyk) can move quickly to offer specialized scanning for AI tool directories as a differentiated product category with a live reference incident
  • Anthropic could implement a verified npm publisher allowlist or sandboxed package execution layer within Claude Code to prevent future directory-targeting attacks and position this as an enterprise security differentiator
  • Cyber insurers and AI security auditors (Coalition, At-Bay, Coalfire) gain a concrete reference incident to justify mandatory supply-chain reviews and premium adjustments for Claude Code enterprise deployments

What we don't know yet

  • What specific file types and data volume were exfiltrated across the 676 downloads before the package was taken down
  • Whether Anthropic has identified and notified affected Claude Code users as of May 27, 2026
  • Attribution beyond the leaked GitHub account; no threat actor group or nation-state link has been publicly confirmed for the 'Malware-Slop' campaign

Originally reported by thehackernews.com

Read the original article →

Original headline: Malicious npm Package 'mouse5212-super-formatter' Targets Claude AI User Directory — 'Malware-Slop' Campaign Exfiltrates Files via GitHub, Downloaded 676 Times