Malicious npm Package Targets Claude AI User Data — Technical Analysis

The npm ecosystem remains a primary vector for sophisticated Supply Chain Attack campaigns, as threat actors pivot their focus toward emerging artificial intelligence (AI) workflows. According to The Hacker News, security researchers at OX Security have identified a malicious package named “mouse5212-super-formatter” that specifically targets data associated with Anthropic’s Claude AI tool. This package represents a targeted effort to harvest intellectual property and sensitive training data by monitoring specific directories used by AI interfaces.

Technical Analysis: How the mouse5212-super-formatter Package Operates

The malicious package, distributed via the public npm registry, masquerades as a standard formatting utility. Once integrated into a project, the package initiates a background process that targets the /mnt/user-data directory. In many containerized or virtualized environments, Claude AI utilizes this specific directory to handle file uploads, temporary processing, and background outputs. By focusing on this path, the attacker can bypass general file discovery phases and immediately locate high-value IoC evidence or proprietary data.

The exfiltration logic is embedded within the package’s post-install scripts or its primary execution logic, allowing it to run automatically upon installation or during routine project builds. This automation facilitates the silent transmission of files to an external C2 server. Because the CVE database does not yet list a specific entry for this package, defenders must rely on behavioral detection and dependency auditing to mitigate the risk.

Claude AI User Directory Security Risks

The targeting of /mnt/user-data indicates that the threat actors possess specific knowledge of how Claude AI manages local data. Modern AI tools often require high-speed access to large datasets, leading developers to mount local volumes that may not have the same rigorous access controls as production databases. This specific Claude AI user directory security risk allows the malware to perform unauthorized reads of sensitive technical documentation, source code, or proprietary prompts that users upload for analysis. The stolen data provides the attacker with deep insights into the victim’s development processes and internal strategies.

Defending Against npm Supply Chain Attacks

Identifying these threats requires a proactive approach to package management. Organizations often struggle with how to detect malicious npm packages before they are executed within the development environment. Traditional SOC monitoring may fail to flag these activities if the exfiltration is disguised as legitimate HTTP traffic. However, utilizing EDR solutions can help identify unusual file access patterns originating from Node.js processes, specifically when those processes attempt to read from directories outside of their defined project scope.

npm Supply Chain Attack Mitigation

To strengthen your security posture, teams should implement strict npm supply chain attack mitigation strategies. This includes the use of lockfiles (package-lock.json) to ensure consistent dependency versions and the implementation of automated scanning tools that cross-reference new packages against known malicious signatures and behavioral reports. Furthermore, restricting the permissions of the Node.js runtime to only necessary directories can prevent a compromised package from accessing sensitive locations like the Claude AI data mount. Defenders should also audit their CI/CD pipelines to ensure that third-party code does not have unrestricted access to local storage or environment variables.