Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Malicious npm Package Targets Claude AI User Data

Malicious npm Package Targets Claude AI User Data

Posted on May 27, 2026 By CWS

Cybersecurity experts have identified a new threat in the npm registry, involving a package that steals user data from Anthropic’s Claude AI. This package, known as ‘mouse5212-super-formatter,’ poses a significant risk by targeting the ‘/mnt/user-data’ directory, a critical component of Claude AI’s file management system. The operation, labeled as Malware-Slop by OX Security, underscores the growing vulnerabilities within software supply chains.

How the Malicious Package Operates

Upon detailed examination, the package masquerades as a legitimate ‘archive deployment sync’ utility. It deceptively validates or initializes a GitHub repository, captures network status snapshots, and synchronizes local files to a remote repository. However, its true intent is revealed when it authenticates to GitHub during the post-installation phase, using either a discovered or hard-coded access token. If a target repository does not exist, it creates one and uploads files to a repository controlled by the attacker.

This process involves storing files in randomly named directories, which aids the threat actor in distinguishing between different data theft incidents. The malware further disguises its activity by generating fake network logs, misleading users into believing the operations are standard diagnostic processes.

Current Status of the Package

Despite its malicious nature, the package remains available for download on npm, having been accessed 676 times. The exact number of installations is unknown. Notably, the associated GitHub account has since been deactivated, but it was initially established shortly before the package’s first upload on May 26, 2026. This timing hints at a well-coordinated release strategy.

Interestingly, the package inadvertently disclosed sensitive details about the GitHub account, including a private token. This raises questions about the attackers’ operational security measures and suggests potential use of AI in developing the malware, albeit with significant lapses in maintaining security protocols.

Implications and Future Outlook

The ease with which malicious code can now be created has lowered the barrier to entry for cybercriminals. OX Security warns that this trend could lead to an influx of poorly constructed malware, with new actors mimicking advanced persistent threat (APT) groups to exploit vulnerabilities until npm implements more stringent automatic blocking measures.

The incident highlights the urgent need for enhanced security in software repositories and the importance of maintaining robust operational security practices among developers and users alike. As the threat landscape evolves, vigilance and innovation in cybersecurity measures will be crucial to mitigating future risks.

The Hacker News Tags:AI security, Claude AI, Cybersecurity, GitHub, information theft, Malware, npm security, OX Security, supply chain attack, threat intelligence

Post navigation

Previous Post: Critical ‘BadHost’ Flaw Threatens AI Server Security
Next Post: AI’s Growing Threat: UK’s Cyber Chief Warns of Russia

Related Posts

Bitwarden CLI Breach Highlights Supply Chain Risks Bitwarden CLI Breach Highlights Supply Chain Risks The Hacker News
Researchers Capture Lazarus APT’s Remote-Worker Scheme Live on Camera Researchers Capture Lazarus APT’s Remote-Worker Scheme Live on Camera The Hacker News
3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation 3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation The Hacker News
UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns The Hacker News
How to Gain Control of AI Agents and Non-Human Identities How to Gain Control of AI Agents and Non-Human Identities The Hacker News
Why BAS Is Proof of Defense, Not Assumptions Why BAS Is Proof of Defense, Not Assumptions The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark