New npm Supply Chain Attack Targets Claude AI Directories
Just came across a report from OX Security regarding a concerning supply chain attack specifically targeting AI workflows. A malicious package named mouse5212-super-formatter was found on the npm registry. Unlike generic info-stealers, this one is highly targeted, attempting to exfiltrate data from /mnt/user-data.
For those using Anthropic's Claude AI in dev environments, you know this directory is often used for handling uploads and outputs. If this package executes, it looks to siphon those files. It's a stark reminder that as we integrate AI tools into our pipelines, we introduce new attack surfaces.
If you manage npm registries, I'd recommend blocking this package immediately. You can scan your package-lock. files with the following snippet:
grep -R "mouse5212-super-formatter" . --include="package-lock."
Additionally, review any Node processes that are attempting to reach out to the network immediately after installation. We're seeing a shift from crypto-miners to data-specific theft in the supply chain. How is everyone handling the security of mounting local directories into these AI coding assistants? Are you using sandboxes or VMs to isolate the /mnt/user-data path?
Solid find. We actually pushed a custom YARA rule this morning to detect suspicious reads from that specific path tree. It's wild that attackers are already tailoring malware for AI tooling directories.
For those running CI/CD, ensure your npm install steps run as a non-root user with limited read access to the host. If the package can't read /mnt/user-data, the attack fails. Simple privilege separation helps here.
I've been arguing that we need to treat AI IDE plugins like untrusted browser extensions. We use a separate VM for Claude/Cursor interactions that has no access to our source code repos—only the specific files we're actively working on.
It adds a little friction, but it prevents a compromised package (or the AI itself) from scanning the entire drive. Definitely recommend air-gapping your main dev environment from these AI tools.
Thanks for the grep command. We ran it across our repos and came up clean, but it highlighted that we have some legacy projects still allowing global npm installs.
I'm updating our internal hardening guide to include a check for this specific package hash in our SBOM analysis. If anyone has the hash for the compromised version, please share it so we can add it to our allowlist.
Solid intel. Beyond endpoint isolation, we're blocking this at the registry level. If you use an internal npm proxy like Verdaccio or Nexus, update your blocklists to reject mouse5212-super-formatter immediately.
For runtime defense on Linux hosts, consider making that directory immutable if writes aren't required, or monitoring open syscalls with eBPF:
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat /str(args->filename) == "/mnt/user-data"/ { printf("Alert: %s accessed by %s\n", str(args->filename), comm); }'
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access