A malicious npm package named “mouse5212-super-formatter” was found on the npm registry with information-stealing behavior. The package targets “/mnt/user-data,” a directory used by Anthropic’s Claude tool for uploads and outputs. It masquerades as an internal “archive deployment sync” utility that validates or initializes a GitHub repository and captures a “network status” snapshot. During postinstall, it authenticates to GitHub using an access token from the victim environment or a hard-coded fallback token. It checks for a target repository, creates it if missing, and recursively uploads every file to an attacker-controlled GitHub account. Stolen files are placed in randomly named folders, and a fake “network connections” log is written to obscure activity. The package remains available on npm and has been downloaded 676 times, though actual installs are unclear.
"The stolen files are stored within randomly named folders to help the operator distinguish between different theft sessions. The malware also writes a fake “network connections” log to give the impression that it's sending diagnostic information, while obscuring its true operational behavior of unauthorized collection and remote transfer of local data."
#npm-supply-chain #information-stealing #github-exfiltration #postinstall-malware #anthropic-claude-mntuser-data
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]