Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First reported
Last updated
Happening score
H score 22
2 unique sources, 2 articles

Summary

Hide ▲

The mouse5212-super-formatter npm package is a malicious infostealer that can siphon files from /mnt/user-data, putting Anthropic Claude user data at risk of unauthorized exfiltration. It runs in the postinstall stage, uses a GitHub token or fallback credential, and uploads local files to a threat actor-controlled GitHub account. The package also disguises theft with fake diagnostics and was still downloadable from npm at the time of discovery.

Related Happenings

Asteroiddao hit by network compromise

Incident
H score13 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...

Claude Code GitHub Action bot trigger bypass security flaw

Vulnerability
H score31 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
H score34 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

Malware-Slop malicious npm file-theft campaign

Campaign
H score39 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

How related: The activity has been codenamed Malware-Slop.

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

Timeline

  1. 29.05.2026 11:10 1 articles · 1mo ago

    mouse5212-super-formatter leaks GitHub token and exposes theft sessions

    Technical Analysis Update

    mouse5212-super-formatter leaked a hardcoded GitHub token, exposing the operator's credential and allowing about seven theft sessions to be observed in the attacker's GitHub repository; the malicious npm package recursively copied files from a victim machine, uploaded them through the GitHub Contents API, and was later removed from npm.

    Show sources
  2. 27.05.2026 18:44 1 articles · 1mo ago

    GitHub account created ahead of the malicious npm upload

    Untyped Phase

    A GitHub account linked to the Malware-Slop activity was created a few hours before the first malicious version of mouse5212-super-formatter was uploaded to npm, giving the operator infrastructure for the file-theft campaign.

    Show sources
  3. 27.05.2026 18:44 2 articles · 1mo ago

    Researchers uncover mouse5212-super-formatter stealing files from Claude AI uploads

    Initial Disclosure

    OX Security identified the malicious npm package mouse5212-super-formatter, which runs in the postinstall stage, authenticates to GitHub with a victim environment token or a hard-coded fallback, checks or creates a repository, and recursively uploads files from /mnt/user-data used by Anthropic's Claude AI tool.

    Show sources