Malicious npm Package Found Exfiltrating Claude AI User Files
What Happened
Security researchers at OX Security have identified a malicious package on the npm registry named mouse5212-super-formatter that silently exfiltrates files from /mnt/user-data — the dedicated data directory used by Claude AI's desktop and local environments. The package disguises itself as a formatting utility, the kind of dependency that can slip into a project without scrutiny. Once installed, it uploads directory contents to an attacker-controlled endpoint via GitHub infrastructure, making it harder to flag with standard egress monitoring.
Why It Matters
This attack has two compounding risk factors that make it worth treating as urgent.
First, the target directory. /mnt/user-data is where Claude AI stores conversation context, cached files, and documents users have fed into sessions. If you use Claude for code review, internal documentation drafts, or anything containing credentials or proprietary logic, that material is the exfiltration target — not generic system files.
Second, the vector. Typosquatting and fake utility packages are the dominant delivery mechanism for npm-based supply chain attacks right now. A super-formatter package is plausible enough to land in a devDependencies block without triggering alarm. It can also arrive transitively — as a dependency of a dependency — meaning you may be exposed without having installed it directly.
This is not theoretical. The package was discovered active on the registry, not in a research sandbox.
What To Do
Immediate actions:
- Audit now. Run
npm ls mouse5212-super-formatterin every project and CI environment. Also check your global installs:npm ls -g mouse5212-super-formatter.
- Remove it if found.
npm uninstall mouse5212-super-formatterand remove any reference frompackage.jsonandpackage-lock.json, then runnpm installclean.
- Treat a positive hit as a breach. If the package was installed on any machine that had
/mnt/user-datapopulated, assume that data left the host. Rotate any credentials, API keys, or tokens that were present in Claude AI sessions or files in that path.
- Check your lock files. Review
package-lock.jsonandyarn.lockacross repos for the package hash. Lock file entries persist even after removal and are useful for forensics.
- Harden your pipeline. Add
npm auditand a tool like Socket.dev or Snyk to your CI chain. These tools flag packages with unusual network or filesystem behavior before they land in a build.
If you run Claude in a shared team environment or use it on a machine where local files contain anything sensitive — internal configs, auth tokens, database credentials — treat this as a priority triage item today, not a scheduled security review.
Synthesized by Claude · sanity-checked before publish.