{"slug": "malicious-npm-package-exfiltrates-files-from-claude-user-directory", "title": "Malicious npm Package Exfiltrates Files From Claude User Directory", "summary": "Cybersecurity researchers identified a malicious npm package named \"mouse5212-super-formatter\" designed to upload files from the \"/mnt/user-data\" directory used by Anthropic's Claude AI assistant. SOC Prime separately reported a related campaign using trojanized GitHub Releases to deliver Rust-based droppers deploying the Vidar infostealer and GhostSocks proxy. The attacks follow earlier exposure of Claude Code source maps through a misconfigured npm release, which researchers say enabled attackers to build targeted supply-chain lures.", "body_md": "# Malicious npm Package Exfiltrates Files From Claude User Directory\n\nCybersecurity researchers identified a malicious npm package named \"mouse5212-super-formatter,\" which researchers say was designed to upload files from the \"/mnt/user-data\" directory used by Anthropic's Claude, according to OX Security (reported by The Hacker News and IT Security News). SOC Prime separately reports a related lure campaign that used trojanized GitHub Releases to deliver Rust-based droppers that deploy the Vidar infostealer and GhostSocks proxy. Reporting by Trend Micro and Layer5 documents an earlier misconfigured npm release that exposed Claude Code source maps, creating an opportunity for attackers to build supply-chain lures.\n\n### What happened\n\nCybersecurity researchers discovered a malicious npm package named **\"mouse5212-super-formatter,\"** according to OX Security, as reported by IT Security News and The Hacker News. Per OX Security, the package contained code to upload files from **\"/mnt/user-data,\"** a directory associated with Anthropic's **Claude** that stores uploads and background outputs. SOC Prime's threat report documents a related set of operations in which threat actors used short-lived GitHub accounts and trojanized GitHub Releases to distribute Rust-built droppers, notably a payload identified as **TradeAI.exe**, which the report says decrypts embedded C2 URLs and deploys the **Vidar** infostealer and **GhostSocks** SOCKS5 proxy (SOC Prime). Reporting from Trend Micro and Layer5 recounts that a misconfigured npm package previously exposed Claude Code source maps and TypeScript source, which investigators link to the rise of supply-chain lures targeting developers and CI environments.\n\n### Editorial analysis - technical context\n\nReported details show two distinct but related supply-chain tactics: a malicious npm package performing targeted file exfiltration from a runtime directory, and a GitHub Release-based delivery mechanism dropping compiled malware. Companies facing similar threats commonly see attackers combine a software-container or CI execution path (npm installs, GitHub Actions, GitHub Releases) with post-execution dropper logic to translate a single compromise into credential and data theft. The GitHub Releases vector described by SOC Prime leverages archive artifacts rather than package registries, which changes detection dynamics because release artifacts are often reviewed less stringently than published packages.\n\n### Industry context\n\nReporting frames this story against a broader pattern where exposed source artifacts, such as shipped source maps, accelerate attacker reconnaissance and lure creation. Trend Micro and Layer5 document that the leaked Claude Code source maps expanded the attacker surface by revealing naming, build artifacts, and likely CI/packaging behaviors that can be mimicked by typosquats or fake repositories. Observed campaigns combining repository-level lures with compiled droppers and common infostealers like Vidar align with historical supply-chain exploitation trends seen across npm and other registries.\n\n### For practitioners\n\nMonitoring and hardening CI/CD and developer workflows is the immediate operational takeaway. Consider scanning builds and release artifacts for unexpected packaging changes, applying allowlists for third-party installs in build environments, and adding detections for unusual outbound uploads from paths used by runtime sandboxes. SOC Prime recommends isolating any detected endpoints, preserving malicious artifacts for analysis, and revoking exposed credentials; these are general incident-response steps attributed to SOC Prime's report, not prescriptions for any specific vendor.\n\n### What to watch\n\nObservers should track follow-up reporting from OX Security, SOC Prime, and vendor advisories for indicators of compromise and package takedown notices. Watch for additional malicious packages or repos that reuse naming patterns from the exposed Claude Code artifacts, and for detections that tie GitHub Release artifacts to post-execution droppers. If vendors publish patch notes or security advisories, those releases will provide the clearest source-attributed guidance on mitigation and impacted versions.\n\n## Scoring Rationale\n\nThis story highlights a notable supply-chain and repository-based campaign that leverages leaked source artifacts to distribute infostealers, which is directly relevant to ML/DS teams running CI pipelines and developer tooling. The technical playbook is not novel but the targeting of AI-tool directories and the rapid exploitation following source exposure make it a notable operational risk.\n\nPractice interview problems based on real data\n\n1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.\n\n[Try 250 free problems](/problems)", "url": "https://wpnews.pro/news/malicious-npm-package-exfiltrates-files-from-claude-user-directory", "canonical_source": "https://letsdatascience.com/news/malicious-npm-package-exfiltrates-files-from-claude-user-dir-964c4eec", "published_at": "2026-05-27 18:21:14.652618+00:00", "updated_at": "2026-05-27 18:21:17.183530+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-products", "artificial-intelligence", "large-language-models"], "entities": ["Anthropic", "Claude", "OX Security", "SOC Prime", "Vidar", "GhostSocks", "Trend Micro", "Layer5"], "alternates": {"html": "https://wpnews.pro/news/malicious-npm-package-exfiltrates-files-from-claude-user-directory", "markdown": "https://wpnews.pro/news/malicious-npm-package-exfiltrates-files-from-claude-user-directory.md", "text": "https://wpnews.pro/news/malicious-npm-package-exfiltrates-files-from-claude-user-directory.txt", "jsonld": "https://wpnews.pro/news/malicious-npm-package-exfiltrates-files-from-claude-user-directory.jsonld"}}