npm Package Targeted Claude AI Users, Leaked Own GitHub Token

A malicious npm package designed to steal files from Anthropic's Claude AI tool contained a critical mistake: the attacker left their own GitHub private token in the code, giving researchers full visibility into the exfiltration operation.

OX Security researchers discovered "mouse5212-super-formatter" on the npm registry, masquerading as a code formatting utility. The package specifically targeted the /mnt/user-data/ directory—a location used by Claude's local tooling to handle file uploads and outputs.

How the Attack Worked

The malware executed during npm's postinstall phase, presenting itself as an "archive deployment sync" utility. It claimed to validate a GitHub repository and capture a "network status snapshot" before performing what it called "structured synchronization."

In reality, it authenticated to GitHub using either a victim's token (if available) or a hardcoded fallback, then uploaded stolen files to randomly named folders in an attacker-controlled repository. The target was clear: developers using Claude for coding tasks often have sensitive project files, configuration secrets, and credentials passing through their AI assistant's working directory.

The package accumulated an estimated 676 downloads before being flagged and removed.

The Attacker's Mistake

Here's where the operation unraveled. The malware developer embedded their own GitHub private access token directly in the package code—unobfuscated. This token gave researchers access to the exfiltration repository, allowing them to observe exactly what files were being stolen and from which victims.

The GitHub account linked to the campaign was created on May 26, 2026, just hours before the first malicious version was published to npm. This suggests an opportunistic attack rather than a long-planned operation.

Developer-Targeted Supply Chain Attacks

This package fits a pattern we've tracked throughout 2026. Threat actors increasingly target AI-assisted development workflows, knowing developers often grant their AI tools access to sensitive codebases. We covered a similar supply chain campaign targeting crypto and AI developers just last week.

The specific targeting of Claude's directory structure shows attackers are adapting to how developers actually work. As AI coding assistants become standard tooling, they become attractive interception points for stealing source code, API keys, and internal documentation.

Protecting Yourself

1. Audit npm dependencies - Use npm audit and tools like Socket.dev to scan for suspicious packages
2. Verify package publishers - Check download counts, publish history, and GitHub repository authenticity before installing
3. Isolate AI tool directories - Consider sandboxing your AI assistant's working environment from sensitive project directories
4. Monitor postinstall scripts - Many supply chain attacks execute during installation; review what packages run on install

Why This Matters

The irony of this particular attack—a malware developer accidentally exposing their own infrastructure—shouldn't distract from the broader threat. Developers are high-value targets, and their toolchains are increasingly complex attack surfaces.

AI coding assistants process sensitive data by design. They read your code, your documentation, your configuration files. Any compromise of the AI tool or its surrounding ecosystem gives attackers access to everything the AI sees.

The 676 downloads might seem small, but npm's ecosystem amplifies reach through transitive dependencies. Even if you didn't install this package directly, it could have been pulled in by another dependency. This is why monitoring your software supply chain has become essential for any organization shipping software.