Claude AI user data directory exfiltration via malicious npm package

Summary

On May 27, 2026, OX Security researchers identified a malicious npm package, mouse5212-super-formatter, designed to exfiltrate files from /mnt/user-data, the directory Anthropic's Claude AI uses to handle user uploads and outputs. The package had an estimated 676 downloads before detection. The attacker embedded their own GitHub private token in the package source; OX Security used it to attribute the account, which was subsequently deleted. As of the OX Security report, the package remained available on npm.

What happened

• mouse5212-super-formatter was published to npm on May 27, 2026, presenting itself as an "archive deployment sync" utility.
• Its postinstall script authenticated to GitHub using either an environment variable token or a hard-coded fallback credential, then walked the /mnt/user-data directory and uploaded every file to a threat actor-controlled repository via the GitHub Contents API; files were base64-encoded before transmission.
• The /mnt/user-data path is the dedicated directory Anthropic's Claude AI uses to store user-provided uploads and AI-generated outputs in the background.
• OX Security researchers observed approximately seven active exfiltrations in the attacker's repository before the associated GitHub account, unplowed3584, was taken down. That account was created hours before the malicious package appeared.
• The package source contained the attacker's own GitHub private token, which OX Security used to identify and attribute the account.

Timeline

• 2026-05-27 — GitHub account unplowed3584 created; mouse5212-super-formatter published to npm.
• 2026-05-27 — OX Security researchers Moshe Siman Tov Bustan and Nir Zadok identify the package and publish their findings.
• 2026-05-27 — Attacker's GitHub account taken down; package reported as still available on npm.

What remains unclear

• Whether npm removed the package after the OX Security disclosure.
• How many of the 676 estimated downloads resulted in successful file exfiltration.
• Whether Anthropic has reviewed the incident or issued guidance to developers using Claude-integrated environments.

Broader context

AI assistants typically maintain dedicated filesystem paths for user-provided documents and generated outputs. A malicious package that knows those paths can extract files at the filesystem layer without interacting with the AI service directly. OX Security observed that the reduced barrier to generating functional malicious code with AI assistance is likely to produce more such incidents, including those authored by threat actors with limited operational security knowledge.

Sources

• OX Security: Malware-Slop npm package analysis (research)
• The Hacker News: Malicious npm package stole files from Claude AI user directory (press)
• The Register: Malware dev tries to steal Claude users' secrets (press)