An AI Generated npm Package Called mouse5212-super-formatter Walked Out With Every File in Claude's /mnt/user-data Directory From 676 Developers Before OX Security Caught It on May 27—And Because the Attacker Hardcoded Their Own GitHub Private Token Into the Malware, Researchers Could Read the Stolen Files Right Back

Researchers Moshe Siman Tov Bustan and Nir Zadok at OX Security disclosed the malicious npm package mouse5212-super-formatter on May 27, 2026, after watching it sit on the npm registry for long enough to reach 676 downloads. The package targets a very specific directory: /mnt/user-data, the path that Anthropic's Claude Code sandbox uses to stage file uploads, downloads, and any data a developer's Claude session has written to disk. The stealer walks the directory recursively, base64 encodes every file it finds, and uploads each one through the GitHub Contents API to a repository under the attacker's own account. The attacker's account was created earlier in May, hours before the malicious version went live. And then, in the kind of mistake that only happens when nobody is reading the code—including the AI that wrote it—the attacker shipped their own GitHub private token in the published source.

Key Takeaways

• OX Security disclosed the malicious npm package mouse5212-super-formatter on May 27, 2026, after it reached 676 downloads on the npm registry.
• The stealer specifically targets /mnt/user-data—the directory Anthropic's Claude Code sandbox uses for file uploads, downloads, and code/data output.
• The package recursively walks the directory and uploads every file through the GitHub Contents API to a per run randomized folder under the attacker's GitHub account, base64 encoded.
• OX Security researchers Moshe Siman Tov Bustan and Nir Zadok traced the stolen files because the attacker hardcoded their own GitHub private token in the package source.
• The attacker's GitHub account was created just hours before the malicious version was published, and the code itself shows hallmarks of AI generation—bland comments, phony "network connection" log messages, and unused helper functions—suggesting the entire package was scaffolded by an LLM.

What Is /mnt/user-data and Why Does It Matter?

When a developer runs Anthropic's Claude Code, the agent operates in a sandboxed filesystem. /mnt/user-data is the directory where Claude's tools stage anything the user has uploaded into the session—source files being refactored, screenshots, API responses pasted from another tool, the contents of any project the user is letting Claude analyze. It is, in practice, an ad hoc concentration of whatever sensitive context a developer is currently working with.

For a credential stealer, that concentration is more valuable than a generic developer machine scan. A working Claude Code session might include AWS access keys pasted in to debug a deployment, GitHub fine grained personal access tokens being audited, the source of an internal tool with hardcoded secrets, customer data uploaded for an export script, or a draft of a security report that has not been redacted yet. The stealer does not have to know what is in the directory. It just has to take everything.

How Did the Malware Authenticate and Exfiltrate?

The package authenticates to GitHub using an environment token if one is present, falling back to a hardcoded token embedded in the source code. Once authenticated, it checks whether a target repository exists under the attacker's account, creates one if it does not, and then walks the target directory recursively. Every file is read, base64 encoded, and uploaded through the GitHub Contents API as a new file in a per run randomized folder. The randomized folder structure lets the same victim machine produce multiple stealing sessions without overwriting earlier data—useful when the operator wants to track changes to a developer's working directory over time.

The choice of GitHub as the exfiltration channel is deliberate. Outbound HTTPS to api.github.com is the most common network traffic on a developer machine. No corporate proxy, no endpoint DLP, and no SIEM is going to alert on yet another connection to GitHub's API endpoint—the same endpoint the developer's IDE, CI runner, and dependency manager all use constantly. The exfiltration hides inside the noise of legitimate developer tooling.

Why Did the Attacker Ship Their Own GitHub Token?

The most embarrassing detail in OX Security's report is also the most telling. The package contains the attacker's own GitHub private access token as a hardcoded fallback for the case where the environment variable is missing. Anyone with access to the published package source—including npm itself, security researchers, and the dependency scanners every modern company runs—could read the token, authenticate to GitHub as the attacker, and access whatever the malware had uploaded since the package went live.

OX Security used exactly that path. The researchers followed the token to the attacker's GitHub account, traced the repositories receiving stolen files, and analyzed the corpus of victim data the attacker had already collected. This is the kind of operational mistake that does not happen when a malware author is reading their own code line by line. It happens when an LLM generates a "complete working example" that includes a placeholder token the developer was supposed to replace—and the attacker copy-pasted the entire output into a published package without checking.

Bustan and Zadok noted the supporting evidence elsewhere in the code: bland, generic comments; helper functions that do nothing; phony "network connection log" messages designed to make the package look diagnostic; structural patterns that are recognizable as LLM scaffolding. "The bar to create malicious code was reduced significantly," OX Security wrote. "We're going to see more threat actors uploading more sloppy malwares until npm starts automatically blocking malware completely."

What Should Developers Do Right Now?

If you installed mouse5212-super-formatter at any point, assume everything in /mnt/user-data at the time was exfiltrated:

• Revoke every GitHub access token that has been used on the affected machine, including personal access tokens, fine grained tokens, and OAuth app tokens.
• Rotate any credentials that touched the Claude Code session: cloud provider keys, internal admin tokens, database passwords, API secrets.
• Review GitHub audit logs for new repositories created from your account in the last two weeks, and revoke any unrecognized SSH keys or deploy keys.
• Uninstall the package from any project that referenced it, and audit the dependency tree for siblings published by the same attacker account.
• Consider this part of the wider pattern. See our coverage of the Nx Console 18.95.0 VS Code credential stealer (live for 11 minutes, 2.2 million installs) and the ClawHavoc AI assistant infostealer supply chain attack.

The Bigger Pattern

mouse5212-super-formatter is the first npm package documented to specifically target Anthropic's Claude Code sandbox, but it is not the first AI generated stealer and will not be the last. The economics of supply chain attacks have always favored attackers who can publish faster than maintainers can review. LLMs have collapsed the cost of generating plausible looking malicious code to near zero, and registries like npm, PyPI, and the Hugging Face Hub are still optimized for ease of publication rather than provenance. Every developer machine running an AI coding assistant is now a potential concentration point for sensitive context that was never meant to leave the laptop.

The defensive response is the same as it has been for two decades: pin dependencies, audit before installing, monitor outbound traffic from developer machines, and treat tokens as the perimeter. What changes is the speed. Until npm starts automatically blocking malware at publish time, the gap between "package goes live" and "package gets pulled" is the attacker's window. mouse5212-super-formatter's window was 676 developers long. The next one will be longer.