Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities.
According to OX Security, the package, named “mouse5212-super-formatter,” is designed to upload files from “/mnt/user-data,” a dedicated directory used by Anthropic’s Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The activity has been codenamed Malware-Slop.
“By analyzing the malware, it turns out that the script presents itself as an internal ‘archive deployment sync’ utility that validates or initializes a GitHub repository, captures a lightweight ‘network status’ snapshot, and then performs a structured synchronization of local workspace files into a remote tracking tree,” researchers Moshe Siman Tov Bustan and Nir Zadok said.
In reality, however, it authenticates to GitHub during the postinstall stage, either using a GitHub access token found in the victim’s environment or a hard-coded token as a fallback, checks whether a target repository exists, and if not, creates it, and then recursively uploads every file to a threat actor-controlled GitHub account.
The stolen files are stored within randomly named folders to help the operator distinguish between different theft sessions. The malware also writes a fake “network connections” log to give the impression that it’s sending diagnostic information, while obscuring its true operational behavior of unauthorized collection and remote transfer of local data.
The package is still available for download from npm and is estimated to have been downloaded 676 times. However, how many of these correspond to actual installs remains unclear. The GitHub account linked to the campaign is no longer available, although OX noted that it was created on May 26, 2026, a few hours before the first malicious version was uploaded to npm.
What’s notable about the package is that it leaked details of the GitHub account, including its private token, raising the possibility that the threat actor is using AI to generate malware while not implementing basic operational security (OPSEC) best practices.
“Now that the bar to create malicious code was reduced significantly, we’re going to see more threat actors getting into the game – uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely,” OX Security said.
