Supply Chain Spotlight: Analyzing the mouse5212-super-formatter npm Package
Supply Chain Spotlight: Analyzing the mouse5212-super-formatter npm Package
Just caught wind of a concerning report from OX Security regarding a malicious npm package specifically targeting Anthropic's Claude AI workflows. The package, mouse5212-super-formatter, is a textbook typosquatting attempt designed to exfiltrate data from the /mnt/user-data directory.
This is a targeted supply chain attack. The malware specifically looks for files generated by Claude AI tools. If your dev teams are using AI assistants locally or integrating them into CI/CD pipelines without strict sandboxing, this could be a major data leak vector.
Detection & Remediation
If you are managing JavaScript environments, you should immediately audit your package-lock. and node_modules. Since there isn't a CVE assigned yet, we have to rely on package name reputation.
You can use a quick bash command to scan your environments for this specific package name:
find . -name "package-lock." -exec grep -l "mouse5212-super-formatter" {} \;
Additionally, I recommend checking for any network activity from node processes attempting to connect to unknown external IPs, as the malware attempts to upload the stolen files.
The Discussion
We are seeing a shift from generic stealers to AI-specific data pilfering. How are you all handling AI tooling in your dev environments? Are you running them in isolated containers or VMs, or just letting them run on host machines?
Solid find. This reinforces why we need strict allow-listing for public registries in our internal dev environments. We implemented an npm proxy that blocks any new package versions that haven't been manually reviewed. For detection, I added a KQL rule for our Sentinel instances to flag any npm install commands that result in a package with a high entropy score.
The targeting of /mnt/user-data is interesting. It suggests the actor knows exactly where Claude artifacts are stored by default. On the infrastructure side, we've moved all AI coding assistant usage to ephemeral containers using firejail so they can't touch the host filesystem.
firejail --private --profile=claude claude-cli
Solid find. From an IAM standpoint, this highlights why we need to enforce least privilege for service accounts running these tools. If the process generating the data doesn't have write access to the broader network, the blast radius is contained to that specific mount.
Teams should audit their dependencies immediately to ensure this wasn't pulled in before registry rules took effect:
npm ls mouse5212-super-formatter
Does anyone know if this specific package requires elevated permissions during installation, or does it run entirely within the user context?
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access