Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

The Hacker News by The Hacker News
May 27, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananMay 27, 2026Threat Intelligence / Supply Chain Attack

Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities.

According to OX Security, the package, named “mouse5212-super-formatter,” is designed to upload files from “/mnt/user-data,” a dedicated directory used by Anthropic’s Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The activity has been codenamed Malware-Slop.

“By analyzing the malware, it turns out that the script presents itself as an internal ‘archive deployment sync’ utility that validates or initializes a GitHub repository, captures a lightweight ‘network status’ snapshot, and then performs a structured synchronization of local workspace files into a remote tracking tree,” researchers Moshe Siman Tov Bustan and Nir Zadok said.

In reality, however, it authenticates to GitHub during the postinstall stage, either using a GitHub access token found in the victim’s environment or a hard-coded token as a fallback, checks whether a target repository exists, and if not, creates it, and then recursively uploads every file to a threat actor-controlled GitHub account.

The stolen files are stored within randomly named folders to help the operator distinguish between different theft sessions. The malware also writes a fake “network connections” log to give the impression that it’s sending diagnostic information, while obscuring its true operational behavior of unauthorized collection and remote transfer of local data.

The package is still available for download from npm and is estimated to have been downloaded 676 times. However, how many of these correspond to actual installs remains unclear. The GitHub account linked to the campaign is no longer available, although OX noted that it was created on May 26, 2026, a few hours before the first malicious version was uploaded to npm.

What’s notable about the package is that it leaked details of the GitHub account, including its private token, raising the possibility that the threat actor is using AI to generate malware while not implementing basic operational security (OPSEC) best practices.

“Now that the bar to create malicious code was reduced significantly, we’re going to see more threat actors getting into the game – uploading more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely,” OX Security said.



Source link

The Hacker News

The Hacker News

Next Post
GIGABYTE Announces AORUS MASTER 16 Now Available, Built for AI-Powered Performance and Immersive Play

GIGABYTE Announces AORUS MASTER 16 Now Available, Built for AI-Powered Performance and Immersive Play

Recommended.

Sivers Semiconductors AB (publ), Publishes Interim Report Q3, July – September 2025

Sivers Semiconductors AB (publ), Publishes Interim Report Q3, July – September 2025

October 24, 2025
Rapid7 Boosts Profitability, Simplification In Refreshed Partner Program

Rapid7 Boosts Profitability, Simplification In Refreshed Partner Program

March 17, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio