An NPM Package Tried To Exfil Claude's Working Directory And Leaked Its Own GitHub Token. Malware-Slop Is The First AI-Tool-Working-Directory Receipt. The Next Wave Comes For Cursor.

A malicious npm package named mouse5212-super-formatter was disclosed by researchers two days ago and is still available for download from npm at the time of writing. The campaign codename, assigned by the research team that named it, is Malware-Slop. The package presents itself as an archive deployment sync utility. The actual capability is more pointed. It authenticates to GitHub using an environment token or a hardcoded fallback, programmatically creates a target repository if none exists, then recursively walks the local directory tree at slash mnt slash user-data and uploads every file through the GitHub Contents API to the attacker-controlled repository.

The slash mnt slash user-data path is significant. It is the working directory that Anthropic's Claude AI tool uses to handle uploads and outputs in the background. Developers running Claude Code, operators running Claude Projects, anyone using the Anthropic API surface with file attachments, and users of the Claude desktop apps may have working data in that path. Malware-Slop's exfil routine targets the entire directory tree.

The novelty is not the npm-package vector. The npm-package vector has been the dominant supply-chain primitive in 2026 — we have written about TanStack, the Mini-Shai-Hulud campaign, the Nx Console extension compromise, and the @antv data-visualization package family in the last three weeks alone. The novelty here is the target directory. Malware-Slop is the first widely-reported receipt for an attack that explicitly targets an AI-tool working directory as the primary exfiltration surface.

The contents of an AI-tool working directory are not just the developer's files in the general sense. They are the developer's most-sensitive on-purpose moments with their AI assistant. The reason a person uploads a file to Claude is usually because the file is the source of confusion, the source of a bug, or the source of decisions worth debating with an LLM. Source code drafts the developer pasted in for refactoring. Configuration files the developer uploaded for diagnosis. Database schemas with embedded credentials. API keys and OAuth tokens the developer pasted in to ask Claude to help fix an integration. Internal documents the developer uploaded for summarization or analysis. Build artifacts the developer used Claude Code to produce. Those files concentrate at a higher sensitivity-per-byte ratio than the developer's git repository, because the developer's instinct around git is to scrub secrets before commit, while the developer's instinct around AI-chat-context is closer to the instinct around a journal — high-trust, conversational, less curated.

The same shape applies to every AI tool with a file-upload affordance and a privileged working directory. Cursor's working buffer. GitHub Copilot's context window. Codex's prior-session memory. ChatGPT's Code Interpreter slash mnt slash data directory. Replit Agent's project root. Every one of these tools has a privileged working directory that the developer treats with less caution than they treat their git repo because the AI assistant is operationally distinct from version control in the developer's mental model.

Malware-Slop's specific implementation is unsophisticated. The campaign GitHub account was created on May 26, hours before the first malicious version of the package was uploaded to npm. The download count at the time of disclosure was approximately six-hundred-seventy-six, which is small. And the package leaked the attacker's private GitHub token in the bundled code, which is the kind of OPSEC failure a competent human operator would not make. Multiple researchers covering the disclosure flag the token leak as evidence that the threat actor used AI to generate the malware without implementing basic operational security best practices. The pattern fits. AI-assisted malware generation produces functional code that compiles and runs but does not encode the operator's threat-model intuition. An AI assistant asked to write an exfiltration package does not understand operator OPSEC the way a human operator with field experience does. The token-in-package error is the artifact of that capability gap.

The implication of the artifact, though, is not that AI-generated malware is harmless. The implication is the opposite. The operator population that uses AI to write malware is going to grow. The first operators in that population will produce OPSEC failures like Malware-Slop's. They will get caught. They will be the early-cycle research subjects who teach the threat-intelligence community how to fingerprint AI-generated malware code. Then the operator population will iterate. The iteration will close the OPSEC gaps. The directory-target methodology that Malware-Slop introduced — targeting the AI-tool working directory as the exfiltration surface — will not be the OPSEC-failure component. It will be the durable primitive that copies forward into more competent operators' toolkits.

The defender posture this implies is a small set of mental-model upgrades and audit habits.

Treat AI-tool working directories as crown-jewel paths. Slash mnt slash user-data, slash mnt slash data, tilde slash dot cursor, tilde slash Library slash Application Support slash Code slash User, and equivalent paths across other AI tools are not scratch space. They are the developer's most-sensitive on-purpose data, and they need the same auditing posture as production secrets.

Audit npm-package installs against the affected version of mouse5212-super-formatter. The package is named, the campaign codename is known, the remediation is mechanical removal from dependency trees.

Audit GitHub Contents API outbound traffic from CI runners and developer workstations. Unauthenticated or single-token uploads to a freshly-created repository from a non-canonical user account are the signature behavior. The behavior is detectable at the network egress layer if the defender has visibility into developer-machine traffic.

Rotate Anthropic API keys, GitHub tokens, and any third-party tokens that the AI tool would have had access to during any session where mouse5212-super-formatter was present in any installed peer dependency tree. The exfiltration window includes whatever was in the AI-tool working directory at the moment of installation; the credential rotation list extends to anything the AI tool could have read from environment or working state.

Pull the npm install logs for any project whose package.json resolves to this dependency directly or transitively. The small download count of approximately six-hundred-seventy-six makes the candidate set finite. Every candidate identified is worth a focused audit.

Watch the following ninety days for the predictable follow-on wave. Operators will copy the directory-target methodology against Cursor's working buffer, Copilot's context window, ChatGPT Code Interpreter's slash mnt slash data, and Replit Agent's project root. The npm-package or VS-Code-extension submissions to watch for are those that reference any of those paths in their executable body, that use the GitHub Contents API to upload files outbound from CI runners or developer workstations, or that disguise their actual function as a deployment sync, archive utility, context backup tool, or similar workspace-management framing. Our Sandtrout signal already catches the bot-author-email and forged-CI-identity primitives that the Mini-Shai-Hulud cluster uses. The directory-target primitive is the next signal we are back-filling. We will be writing about that work soon.

Today's takeaway is that the AI-tool-working-directory attack surface is now operational. Malware-Slop is the first receipt. It is unsophisticated, the operator leaked their own credentials, and the package's reach is small. None of that means the surface is uninteresting. It means the surface is interesting and the first operators on it are early in their cycle. The competent operators are next. Build the auditing posture this week, not next quarter.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com