"By analyzing the malware, it turns out that the script presents itself as an internal 'archive deployment sync' utility that validates or initializes a GitHub repository, captures a lightweight 'network status' snapshot, and then performs a structured synchronization of local workspace files into a remote tracking tree," researchers Moshe Siman Tov Bustan and Nir Zadok said.
How the package disguised itself and what it actually did
The npm package, published under the name mouse5212-super-formatter and tracked by OX Security as Malware-Slop, posed as an internal "archive deployment sync" tool. In its apparent workflow it performed a brief network snapshot and then synchronized local files to a remote tree. In reality, the package executed a postinstall routine that authenticated to GitHub—either using a GitHub access token found in the victim's environment or a hard-coded token as a fallback—verified whether a target repository existed, created one if it did not, and then recursively uploaded every file it could reach into a threat actor-controlled GitHub account.
Files taken from Anthropic's Claude user directory, /mnt/user-data
OX Security's analysis shows the malware explicitly targeted files under /mnt/user-data, the directory the source describes as dedicated to Anthropic's Claude artificial intelligence tool for handling uploads and outputs in the background. The code copied and transferred those local workspace contents to the remote repository it controlled, storing stolen files inside randomly named folders so the operator could distinguish different theft sessions.
Fake diagnostics, stolen tokens, and a short-lived GitHub account
To obscure its activity, the malware wrote a fake "network connections" log, giving the impression it was only sending diagnostic information while diverting the real data exfiltration to GitHub. The campaign left operational fingerprints: OX Security observed that the GitHub account tied to the uploads was created on May 26, 2026, only a few hours before the first malicious version was uploaded to npm. That account is no longer available, but the package itself remains accessible on npm and is estimated to have been downloaded 676 times; OX noted it is unclear how many of those downloads correspond to actual installs.
Crucially, the package leaked details of the GitHub account, including its private token. OX highlighted that disclosure, saying it "rais[es] the possibility that the threat actor is using AI to generate malware while not implementing basic operational security (OPSEC) best practices." The researchers warned that lowered barriers to creating malicious code will likely lead to more, often sloppy, packages appearing on public registries.
What this means for technologists and security teams, procurement and open-source consumers, and end users of Claude
- Technologists and security teams: The malware's use of environment or hard-coded GitHub tokens to authenticate during postinstall emphasizes the need to audit build and install environments for exposed credentials and to monitor registry artifacts that perform network or repository operations at install time.
- Procurement and open-source consumers: Organizations that accept third-party npm packages should account for packages that present benign purposes while embedding postinstall code with elevated capabilities; dependency review and provenance checks remain relevant, given that this package was publicly available and downloaded hundreds of times.
- End users of Claude: Files placed under /mnt/user-data—the directory used by Anthropic's Claude for uploads and outputs, per OX Security—were the explicit target of exfiltration in this campaign, meaning uploaded content could have been collected if the malicious package ran in environments with access to that directory.
Operational lessons from Malware-Slop and the threat outlook
Malware-Slop combined simple obfuscation—a fake network log and folder-naming to organize stolen sessions—with a straightforward, high-impact mechanism: authenticate to GitHub and copy local files into a repository controlled by the attacker. OX Security characterized the campaign as an example of "sloppy malwares, mostly mimicking APT groups" that exploit easier methods of creation and distribution. The apparent contradiction—an operator sophisticated enough to automate uploads to GitHub but careless enough to leak a private token in the package—underscores a recurring pattern: automation and AI-assisted code generation can accelerate both the volume and the variety of malicious artifacts while not guaranteeing sound operational security.
The immediate facts are crisp: the mouse5212-super-formatter package uploaded files from a directory used by Anthropic's Claude, authenticated to GitHub using exposed tokens, stored stolen material in randomly named folders, and left traces that allowed researchers to timestamp the GitHub account's creation (May 26, 2026). The package remains on npm with an estimated 676 downloads; how many systems actually exposed the /mnt/user-data directory and installed the package is not stated in the available analysis.
OX Security's closing observation frames the near-term concern plainly: as it becomes easier to generate code aimed at stealing data, sloppy operational security by threat actors will likely result in more detectable but still damaging campaigns—until public repositories adopt more automated defenses against malware.




