Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The mouse5212-super-formatter npm package is a malicious infostealer that can siphon files from /mnt/user-data, putting Anthropic Claude user data at risk of unauthorized exfiltration. It runs in the postinstall stage, uses a GitHub token or fallback credential, and uploads local files to a threat actor-controlled GitHub account. The package also disguises theft with fake diagnostics and was still downloadable from npm at the time of discovery.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

How related: The activity has been codenamed Malware-Slop.

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Timeline

  1. 27.05.2026 18:44 1 articles · 7h ago

    GitHub account created ahead of the malicious npm upload

    Untyped Phase

    A GitHub account linked to the Malware-Slop activity was created a few hours before the first malicious version of mouse5212-super-formatter was uploaded to npm, giving the operator infrastructure for the file-theft campaign.

    Show sources
    Open in new tab
  2. 27.05.2026 18:44 2 articles · 7h ago

    Researchers uncover mouse5212-super-formatter stealing files from Claude AI uploads

    Initial Disclosure

    OX Security identified the malicious npm package mouse5212-super-formatter, which runs in the postinstall stage, authenticates to GitHub with a victim environment token or a hard-coded fallback, checks or creates a repository, and recursively uploads files from /mnt/user-data used by Anthropic's Claude AI tool.

    Show sources
    Open in new tab