AI-Generated Malware Targeting Claude Users Fails After Developer Leaks Own GitHub Token
Table of Contents
A Costly Coding Blunder
In a stark reminder that AI-generated code is only as reliable as the human overseeing it, a threat actor attempting to harvest data from Anthropic’s Claude users inadvertently handed researchers the keys to their own kingdom. The malware, distributed via a deceptive npm package named mouse5212-super-formatter, was designed to exfiltrate sensitive files from local environments. However, the attacker committed a critical oversight: they accidentally embedded their own private GitHub token within the code.
This error allowed researchers from OX Security to trace the stolen data and dissect the malware’s inner workings before it could cause widespread damage. According to the researchers, the package managed to rack up 676 downloads before being scrubbed from the npm registry. The incident highlights a growing trend of ‘sloppy’ malware development, where attackers lean heavily on AI to generate functional code but fail to implement basic security hygiene or operational security (OPSEC).
Targeting the AI Developer Workflow
The malware was specifically engineered to target users of Claude, particularly those utilizing the AI coding tool’s file-handling capabilities. The script specifically scans and targets the /mnt/user-data directory—the precise storage location Anthropic’s tool uses to manage file uploads, downloads, and generated code outputs.
To avoid detection, the package masqueraded as a legitimate internal utility. It claimed to be an “archive deployment sync” tool capable of validating GitHub repositories and synchronizing local workspaces with a remote tracking tree. Under the hood, however, the functionality was purely predatory. Once installed, the script authenticates to GitHub using either a hardcoded fallback or an environment token, checks for a target repository, and recursively uploads every file in the targeted directory via the GitHub Contents API.
The Mechanics of the Theft
The researchers, Moshe Siman Tov Bustan and Nir Zadok, noted that the malware utilized base64 encoding to exfiltrate sensitive information. To further mask its activity, the script generated phony network connection logs, mimicking a diagnostic tool to deceive any user who might be monitoring their system logs.
The attacker also attempted to hide the AI-generated nature of the code. Rather than using typical AI hallmarks—such as overly verbose comments or telltale Russian-language artifacts common in certain APT (Advanced Persistent Threat) clusters—the author used “intentionally bland” technical comments and generic commit messages to blend in with legitimate open-source contributions.
The Rise of ‘AI Slop’ in Cybercrime
The speed of the attack suggests a highly compressed timeline. The associated GitHub account was created only hours before the first malicious version was uploaded to npm. After a brief period of testing the stealer’s capabilities on a dedicated “test” repository, the attacker launched the package, only to delete the GitHub account shortly after the operation failed.
This case exemplifies what security professionals are calling “malware slop.” As LLMs lower the barrier to entry for writing functional scripts, the volume of low-effort, high-risk packages on registries like npm is expected to rise. While these attacks may lack the sophistication of state-sponsored operations, their ability to target specific niches—like AI power users—makes them a potent threat.
Users who may have installed mouse5212-super-formatter are urged to immediately revoke their GitHub access tokens and audit their /mnt/user-data directories for any unauthorized access or missing files. As AI continues to integrate into the software development lifecycle, the risk of over-permissioned APIs and automated exfiltration tools remains a primary concern for enterprise security teams.
