Malicious npm Package Stole Files From Claude's Sandbox
A malicious npm package quietly copied files from Claude's working directory and uploaded them to GitHub
Security researchers at OX Security found a package on npm called mouse5212-super-formatter built to do one thing: copy files out of an AI tool's sandbox and ship them to an attacker.
The target was specific. The package went after files in /mnt/user-data, the directory Anthropic's Claude uses to handle uploads and outputs while it works. If you fed Claude a contract, a customer list, source code, or anything else, that is where it lived during the session. This package wanted all of it.
How it worked
The trick was the install step. When you add an npm package to a project, it can run a script automatically the moment it installs. This one used that window. It presented itself as a harmless archive sync utility, took a quick snapshot of network status to look legitimate, then quietly authenticated to GitHub and started uploading every file it could reach.
Where did it get GitHub access? Either from a token already sitting in the environment, or from a token hardcoded into the package itself as a backup. The stolen files landed in randomly named folders on a GitHub account the attacker controlled, with each folder marking a separate victim.
It even wrote a fake network connections log to make the activity look like routine diagnostics. The collection and the upload were the real job. The logs were set dressing.
The part that gives it away
This is what AI-assisted malware looks like right now. The capability is real and the targeting is sharp, but the operational hygiene is sloppy. The bar to write working malware has dropped, so expect more of it, much of it half-baked.
The package reached 676 downloads and was still live at the time of reporting.
Why this matters for vibe-coded apps
Most founders shipping vibe-coded apps never read the dependencies their AI assistant pulls in. The model suggests a package, it gets installed, the app runs. That convenience is exactly the gap this attack used.
A few habits close most of it. Commit a lockfile so the exact versions you reviewed are the versions that ship. Be suspicious of packages with install scripts, especially ones you have never heard of. Keep secrets like API tokens out of your environment unless a process genuinely needs them. And treat anything your AI tool touches as a real attack surface, because attackers already do.
If you build with AI coding tools and have never had a human look at what is actually running in your stack, that is the audit worth booking. VibeAudits does manual, black box reviews of vibe-coded apps and AI agent setups, the kind of inspection automated scanners miss. This package slipped past 676 installs. A second set of eyes is cheap insurance.