AI Wrote Malware to Steal From Claude. The Malware Leaked Its Own Keys.

An attacker used AI to write malware that steals from Claude. Then it stole from itself.

On May 27, 2026, researchers at OX Security disclosed a malicious npm package — mouse5212-super-formatter — designed to do one specific thing: silently upload every file from /mnt/user-data, the Anthropic Claude sandbox directory where users drop uploads and where Claude writes its outputs. The package was downloaded 676 times before npm pulled it. It was also, the researchers say, almost certainly written by an LLM (a large language model — the same kind of AI model behind ChatGPT, Claude, or Copilot).

The interesting part is not the theft. It is the screw-up. The malware shipped with a hard-coded GitHub access token baked into its source — the attacker's own token, in cleartext, used as a fallback in case the victim's environment didn't have one. That token let OX Security walk straight into the attacker's private GitHub repository, read the exfiltrated files, and reconstruct the entire campaign. AI helped the attacker ship faster. It also helped them forget how authentication works.

What happened

The package presented itself as an "archive deployment sync" utility — the kind of generic, plausible-sounding label an LLM produces when asked to invent documentation. According to OX Security's technical writeup, and parallel reporting from The Register and The Hacker News, the malicious behaviour triggered at install time, not at runtime.

Here is the mechanism in plain terms. npm packages support a postinstall hook — a script the package manager runs automatically the moment a developer types npm install, before a single line of the package's code is ever imported. The attacker put their payload there. On install, the script first checked the victim's environment for a GitHub access token (the GITHUB_TOKEN variable that countless developer workflows and CI/CD systems set). If none was found, it fell back to a token hard-coded in the source — the attacker's own. It then created or verified a private GitHub repository under that token, snapshotted basic network details, and recursively uploaded every file from /mnt/user-data. That directory is the workspace Anthropic's Claude assistant uses to receive uploaded files, run sandboxed scripts, and write generated artifacts. Anything a Claude user had handed the assistant in that session — datasets, source code, environment files, credentials pasted into a sandbox prompt — was in scope.

• The package sat live on npm long enough to log 676 downloads before removal. Each install is a potential exfiltration event, not a view count.
• The malware authenticated to GitHub silently, with no user interaction, because postinstall scripts run as the developer who launched the install — inheriting whatever permissions that shell already has.
• The hard-coded fallback token had repo-scope on a private repository the attacker controlled, which is exactly how OX Security enumerated the stolen content and identified other victims.
• The code itself carries the hallmarks of LLM authorship: verbose docstrings, textbook variable names, defensive try/except blocks wrapped around trivial operations, and a confident but slightly off use of the GitHub API.

Why it matters

The economics are what make this more than a footnote. Until last year, shipping a working npm postinstall stealer required at minimum a working grasp of Node's lifecycle hooks, GitHub's REST API, OAuth flows, and the basic operational discipline not to leave your own keys in the binary. The barrier was knowledge, not labour. Today an LLM closes the knowledge gap in an afternoon. What is left as a barrier is judgement — and the same model that wrote the code did not catch the operational mistake before it shipped.

For your team the consequence is concrete. The volume of low-effort, AI-assisted malicious packages flooding open-source registries is going to keep rising, and most of the next batch will not leak their own credentials on the way out. npm, PyPI, and the Hugging Face model hub are now the surface where the marginal cost of a new attack approaches zero. Any developer machine that runs npm install on an untrusted package — and any AI coding assistant that runs install commands inside a sandbox shared across users — is in the blast radius. The broader signal is that this is the first generation of LLM-as-malware-author in production: clumsy now, more careful in a quarter.

What to do about it

1. Disable npm install scripts by default in CI and on developer machines. Add ignore-scripts=true to .npmrc on build servers and run npm install --ignore-scripts locally for any unfamiliar dependency. Postinstall hooks were the entire attack surface here — disabling them blocks the class of attack, not just this one package.
2. Treat AI assistant sandbox directories as exfiltration targets. If your engineers use Claude, ChatGPT, Codex, or any cloud-hosted coding assistant, assume that anything dropped into its working directory can be read by hostile code running inside the same sandbox. Don't hand the assistant .env files or production credentials. Use scoped, short-lived secrets for everything the assistant touches.
3. Inventory where long-lived GitHub tokens still sit in environment variables. The stealer worked because GITHUB_TOKEN values are everywhere — CI runners, dev shells, IDE settings, half-forgotten Docker images. Run a one-time sweep: which machines and pipelines have a real, long-lived token in their environment right now? Replace each with a short-lived OIDC credential (the OpenID Connect federation flow GitHub now offers natively) or a per-task fine-grained personal access token.

Bottom line

The mouse5212-super-formatter story is funny — an attacker out-attacked by their own AI's sloppiness — but the punchline is the part that scales. The bar to ship working malicious code has dropped to roughly the bar to write a careless npm utility. Most attackers will not leak their own keys next time. Treat the public registry, and your assistant's sandbox, as the same hostile environment they have quietly become.