Malware-Slop Claude user-data npm infostealer

Summary

OX Security reported Malware-Slop, a malicious npm package named mouse5212-super-formatter that acted as an infostealer during package installation. The package reached roughly 676 downloads and targeted files under /mnt/user-data, a directory associated with Claude AI upload/output handling in some environments.

The package authenticated to GitHub with either a victim environment token or a hardcoded fallback token, created or reused an actor-controlled repository, recursively uploaded local files through the GitHub Contents API, and stored stolen data in randomly named per-run folders. OX observed about seven active exfiltration sessions before the actor GitHub account was removed; The Hacker News summarized the same reporting and highlighted the Claude user-data targeting angle.

Why this matters

The package shows how commodity npm malware is adapting to AI-assisted developer workflows by targeting AI tool workspaces and uploaded/output files, not just traditional package-registry or cloud tokens.
The theft path abused normal GitHub repository and Contents API behavior, so exfiltration can resemble legitimate developer automation unless defenders correlate install-time execution, new repository activity, and unusual file-tree uploads.
The hardcoded fallback GitHub token and actor-account leakage are useful defender pivots, but they also illustrate how low-skill or AI-assisted operators can still create real exposure despite poor OPSEC.
Any sensitive files staged in /mnt/user-data should be treated as compromised if the package was installed, because the malware recursively walked and uploaded the local directory.

Package and execution chain

Reported package details:

Package: mouse5212-super-formatter
Affected versions: all published malicious versions at time of OX reporting
Registry: npm
Reported downloads: approximately 676
Primary collection path: /mnt/user-data
Exfiltration destination: actor-controlled GitHub repositories under the now-removed unplowed3584 account

The install-time behavior presented itself as an internal archive or deployment synchronization utility. In practice, it:

ran during the npm postinstall stage;
looked for a GitHub token in the victim environment;
fell back to a hardcoded token embedded in the package;
checked for, or created, a target GitHub repository;
captured a lightweight fake network-status log to appear diagnostic;
recursively enumerated local files under /mnt/user-data;
base64-encoded and uploaded file contents through the GitHub Contents API;
separated sessions with random folder names in the remote repository.

Defender heuristics

Search package-lock files, npm audit logs, proxy logs, and endpoint telemetry for mouse5212-super-formatter installs or downloads.
Hunt for npm lifecycle execution that contacts api.github.com immediately after install, especially from developer workstations, AI coding sandboxes, CI runners, or ephemeral AI-agent environments.
Review GitHub audit logs for unexpected repository creation, Contents API writes, unusual commit authors, or bursty uploads of many local workspace files after npm install activity.
Treat /mnt/user-data contents as potentially exposed on systems where the package was installed; rotate any GitHub, cloud, package-registry, API, SSH, or application secrets that may have been staged there.
Revoke GitHub tokens found in affected environments, including fine-grained and classic PATs, and inspect token use around the package installation window.
Add controls for AI-tool workspace directories: avoid staging long-lived secrets in upload/output folders, scan generated dependency suggestions before installation, and isolate AI-agent package installs from human developer credentials.

Sources

OX Security: https://www.ox.security/blog/malware-slop-new-malicious-npm-package-leaks-its-own-github-private-token/
The Hacker News: https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html
npm package page: https://www.npmjs.com/package/mouse5212-super-formatter