Malicious npm Package Mouse5212-Super-Formatter Steals Claude AI Data
Remove mouse5212-super-formatter and audit dependencies for malicious code.
Uninstall mouse5212-super-formatter and run a dependency audit.
Summary
Cybersecurity researchers discovered a malicious npm package named mouse5212-super-formatter that contains information-stealing capabilities. The package is designed to upload files from the /mnt/user-data directory, which is used by Anthropic's Claude AI tool to handle uploads and outputs. The malicious code exfiltrates data by sending it to an external server controlled by the attackers. The package was found in the npm registry and has been flagged as a security threat.
The attackers leveraged the package's integration with Claude to gain access to sensitive files generated during AI processing. The malicious payload remains dormant until the package is installed and executed within a Node.js environment. Security teams should remove the package from their dependency lists and audit for similar threats. The incident highlights the importance of scrutinizing third-party packages that interact with AI tools.
Key changes
- npm package mouse5212-super-formatter contains info-stealing code
- Targets /mnt/user-data directory used by Claude AI tool
- Exfiltrates files to an external attacker-controlled server
- Package remains dormant until installed in a Node.js environment
- Security teams should remove the package and audit dependencies