A malicious npm package was caught stealing files from Claude AI users — and it's part of a growing pattern

A malicious package quietly uploaded to the npm registry has been caught stealing files from developers using Claude AI — exfiltrating the entire contents of the directory Claude uses to manage uploads and working files, and sending them to an attacker-controlled GitHub repository. The package, named "mouse5212-super-formatter," was downloaded an estimated 676 times before being flagged by researchers at The Hacker News.

The attack is relatively simple in design but effective in targeting. During installation, the package authenticates to GitHub — using a token found in the victim's environment if one exists, or falling back to a hardcoded credential — and then recursively uploads every file inside /mnt/user-data, the directory Claude uses to handle uploads and outputs in the background. The result is a quiet, automated exfiltration that most developers would never notice until the damage was done.

A new attack surface: AI coding tools

What makes this incident notable is not its technical sophistication — it's the target. AI coding assistants like Claude Code have become indispensable infrastructure for a growing segment of professional software developers. That widespread adoption has made them an attractive attack surface.

The GitHub account used in this campaign was created on May 26, 2026 — just hours before the malicious package was first uploaded to npm. That rapid setup suggests a targeted, opportunistic operation rather than a long-running, patient campaign. Researchers also observed a basic operational security failure on the attacker's part: the hardcoded GitHub token was itself exposed inside the package, potentially revealing the threat actor's own infrastructure.

The broader pattern of AI tool targeting

This incident does not exist in isolation. Since early 2026, security researchers have documented a significant uptick in supply chain attacks specifically aimed at AI developer tooling. SafeDep flagged a separate campaign in which five typosquatting npm packages — published within hours of each other by accounts named "superbase" and "micresoft" — shipped 4.5 MB hidden binaries inside a .claude/ directory that executed both on installation and on every subsequent Claude Code session start.

Other campaigns have used SEO poisoning to push fake Claude Code installers, reverse-engineered Claude Code internals to route traffic through attacker-controlled proxies, and even crafted lures that impersonate Gemini and Claude Code to deliver infostealers. The pattern is consistent: attackers go where developers are, and right now, AI coding tools are where developers are.

Why this threat vector is particularly dangerous

Traditional supply chain attacks rely on developers installing packages they don't examine closely. AI coding workflows introduce an additional wrinkle: the AI agent itself can be manipulated into installing malicious packages through carefully crafted prompts. A technique researchers have called "PromptMink" demonstrates how a malicious actor could instruct a Claude-based agent to install a trojanized package, effectively turning the AI's trust and autonomy into an attack surface.

The files stored in Claude's working directories can also be uniquely sensitive. Developers often pass context files, API credentials, configuration snippets, and proprietary code to Claude as part of their workflow. An attacker who can drain that directory gets not just the files themselves but a window into the developer's entire working environment — project structure, secrets, integrations, and more.

What developers should do

The immediate steps are straightforward but worth stating clearly. Audit installed npm packages for anything unfamiliar, especially packages installed recently that claim utility functions, formatters, or sync utilities. Check your environment for unexpected GitHub tokens or unusual network activity during package installation. If you use Claude Code in a project, treat /mnt/user-data and equivalent directories as sensitive and avoid leaving credentials or secrets there.

More broadly, the lesson from this campaign is that the same hygiene practices that apply to any software dependency apply just as much to the packages supporting your AI toolchain. The fact that a package was installed to support an AI workflow does not make it more trustworthy — it may make it more dangerous, because those workflows tend to have access to more sensitive context than a typical dependency.

Security tools that scan npm packages before installation and flag newly registered packages with low download counts can catch many of these attacks before they execute. The mouse5212-super-formatter package was, in hindsight, straightforward to red-flag: a newly registered account, a suspiciously generic name, a postinstall script making outbound network calls. The infrastructure to catch these patterns exists. The challenge is making sure it is actually applied to the AI tooling layer, not just to production dependencies.

As AI coding tools become more deeply integrated into professional development workflows, the incentives for targeting them will only increase. This incident is a reminder that the trust developers place in their AI toolchains needs to be matched by proportionate security controls — not assumed.

Source: The Hacker News, SafeDep, Trend Micro Research