Malicious npm Package Stole Files From Claude AI User Directory via GitHub

OX Security researchers discovered a malicious npm package called "mouse5212-super-formatter" that targets Claude AI users by stealing files from Anthropic's system directories.

The package exploits npm's open ecosystem to access "/mnt/user-data," a directory Claude uses to store uploaded files and AI-generated outputs. Once installed as a dependency, the malicious code silently exfiltrates user files to an attacker-controlled location, giving threat actors direct access to sensitive documents, conversations, and data processed through Claude.

The attack demonstrates a supply chain vulnerability in Node.js development workflows. Developers who unknowingly installed "mouse5212-super-formatter" as a project dependency inadvertently granted the package permission to read and upload files from Claude's working directory. This method bypasses typical security controls because the malicious behavior occurs silently during package installation.

The threat extends beyond individual developers. Organizations using Claude for internal workflows, document analysis, or data processing face exposure if their development teams incorporate compromised dependencies. The stolen files could contain proprietary research, confidential communications, source code, or other business-critical information depending on what users uploaded to Claude.

OX Security has not disclosed the exact timeline of the package's availability on npm or confirmed how many installations occurred before removal. npm maintainers have since taken the package offline, but determining infection scope remains difficult.

This incident underscores persistent npm registry risks despite past cleanup efforts targeting typosquatting and malicious packages. Developers should implement dependency scanning using tools like Snyk or npm audit to catch suspicious packages before deployment. Organizations should also review Claude upload histories and consider disabling uploads to Claude for sensitive workstreams until supply chain controls tighten.

The attack method resembles previous npm campaigns, including XZ Utils backdoor efforts, but targets a specific AI platform rather than system utilities.