Malicious npm targets Claude AI user directory

What happened

OX Security flagged `mouse5212-super-formatter` on the npm registry: a malicious package built to exfiltrate the contents of `/mnt/user-data`, the directory Anthropic Claude uses internally to handle files users upload and outputs it generates in the background.

The exfiltration channel is GitHub. Instead of calling back to a dedicated C2 (command-and-control server — the attacker's infrastructure that receives stolen data), the malware pushes files to a GitHub repository. That keeps detection low because outbound traffic to `github.com` rarely triggers network alerts.

The delivery mechanism is a *supply chain attack* (poisoning a dependency so every downstream user gets compromised): a developer installs the package unknowingly, and if Claude desktop or Claude Code is running in the same environment, `/mnt/user-data` gets silently drained.

Why it matters

`/mnt/user-data` is not a generic temp folder. It belongs to the Anthropic Claude runtime and can hold: - Files the user explicitly uploaded to Claude (PDFs, source code, internal docs). - Artifacts produced by Claude Code tool executions. - Session context depending on configuration.

The victim profile is specific: developers running Claude Code or Claude desktop who also install unvetted npm packages in the same environment. The package doesn't need to be a production `dependency`; a global install, a tooling script, or a `devDependency` in a monorepo is enough.

Using GitHub as an exfil channel is a documented tactic in recent campaigns. It bypasses network controls that would block unknown domains. The most reliable IOC (technical indicator that reveals the attack) is the destination repository — but if it's been deleted, the detection window closes fast.

What to do

• Run `npm ls mouse5212-super-formatter` across all projects and your global environment (`npm ls -g`). If it shows up, uninstall and rotate credentials immediately.
• Audit `~/.npm/_logs/` and your package manager history to determine when the package was installed.
• Review what files passed through `/mnt/user-data` recently; if any contain sensitive data, treat them as compromised.
• Add a SIEM (security information and event management — platform that centralizes and correlates security logs) rule to alert on outbound connections to `api.github.com` from unexpected processes.
• Configure your dependency auditing tool (Dependabot, Socket.dev, Snyk) to flag packages with low download counts or published by new accounts.

The pattern is familiar — invented package name, plausible facade functionality, hidden payload. What's new is the targeting logic: the attacker specifically mapped `/mnt/user-data` as a high-value directory. That signals active reconnaissance of which files AI coding tools produce inside developer environments.