Malware dev tries to steal Claude users' secrets and leaks own GitHub private token
A novice developer flooded npm with a sloppy infostealer targeting AI coding users, but embedded a hardcoded GitHub token that let researchers instantly map and dismantle the attack infrastructure.
An npm package named mouse5212-super-formatter accumulated 676 downloads before researchers traced it back to a hardcoded GitHub token. The threat actor, identified by the handle mouse5212, published a deliberate infostealer disguised as a formatting utility, which was reported on May 27, 2026. By bundling their own authentication credentials in the source code, the developer turned a stealthy supply-chain drop into a transparent forensic exercise, allowing defenders to map the attack infrastructure almost instantly.
Anatomy of the Mouse5212 Payload
The core payload functions as a directory crawler. It recursively traverses local file systems, specifically targeting paths like /mnt/user-data. Once harvested, the script uploads stolen files to a remote GitHub repository using the GitHub Contents API. The choice of /mnt/user-data as a primary harvest target signals awareness of containerized development environments, where mounted volumes store persistent configuration and secret stores. This aligns with the operator's apparent intent to target users running AI coding assistants, where such mounts commonly hold API keys and project metadata.
To avoid detection, the operator implemented basic operational camouflage. The malware generates fake "network connections" logs and assigns randomized folder names per session, mimicking the behavior of benign diagnostic sync tools. Despite these disguises, the execution logic remains rudimentary. The reliance on standard filesystem APIs and predictable upload patterns made the activity easy to flag once analysts examined the binary behavior. The payload avoids aggressive persistence mechanisms, favoring quick extraction over long-term footholds—a tactic optimized for mass distribution rather than targeted espionage.
Attribution Through Negligence
The defining feature of this breach was not the sophistication of the theft, but the negligence of the deployment. The threat actor included a fallback GitHub private token directly within the malicious bundle. This hardcoded credential gave OX Security direct access to the attacker's repository and exfiltration endpoints. Instead of requiring weeks of reverse engineering, the leaked token served as an unintended beacon. Defenders used the credential to verify the scope of the damage and confirm the identity of the operator.
The threat actor's GitHub account was subsequently deleted, erasing much of the digital footprint. However, the token had already enabled a complete reconstruction of the attack timeline. This pattern highlights a recurring vulnerability in low-barrier development environments: when code quality drops, operational security collapses even faster. Hardcoded credentials in malware are no longer just a mistake; they are a liability that accelerates attribution timelines for defenders. Tools that scan for exposed tokens should treat leaked auth material as a priority triage signal.
The Slop Economy and Registry Risk
This incident exemplifies a structural shift in the npm threat landscape. Generative AI tools allow non-expert operators to assemble functional credential harvesters with minimal friction. The result is a deluge of low-quality, high-volume malware—"slop"—that floods registries with low-effort packages that aim to slip past initial filtering. Traditional defense models struggle with this shift. Manual review cannot keep pace with thousands of new packages daily, forcing organizations to rely on automated reputation scoring and behavioral heuristics.
Packages like mouse5212-super-formatter exploit gaps in these automated filters by adopting plausible names and superficial legitimacy. Similar to the multi-registry coordination seen in the TrapDoor campaign, this attack leverages the trust inherent in package managers—but scales differently. The trap lies in dependency management. Developers frequently install obscure or auto-generated packages without verifying provenance. Each installation expands the blast radius of potential compromise. As developers lean harder on AI-assisted workflows, the frequency of accepting unvetted dependencies increases, making structural guardrails the only viable buffer against noise-driven attacks.
Our Read
We see three critical takeaways from the mouse5212 case. First, AI-assisted malware lowers the floor for entry but does not raise the ceiling for impact. The damage depends less on the skill of the author and more on the exposure of the victim. Second, hardcoded credentials in malware create a feedback loop where poor opsec aids defenders. Every leaked token reduces the window of opportunity for attackers and provides intelligence for supply-chain monitors. Finally, the industry must enforce stricter pre-install integrity checks. Zero-default trust in CI/CD pipelines is no longer optional. Verification tooling must move beyond static signatures to include behavioral analysis and provenance validation at install time. The mouse5212 package proved that the weakest link in the supply chain is rarely the cryptography—it's the developer who forgets to scrub their own keys.
Hardcoded credentials in a low-effort npm infostealer highlight how AI-fueled supply-chain noise demands stricter pre-install verification and zero-trust CI/CD practices.
Stance · CautiousConfidence · Emerging
The article treats the incident as evidence of a widening systemic vulnerability in open-source ecosystems that requires immediate defensive adaptation.
Key takeaways
Generative AI has drastically lowered the barrier to deploying functional credential-harvesting malware, flooding npm with low-quality packages designed to bypass initial filters.
Poor operational security, particularly hardcoded GitHub tokens, accelerated attacker attribution and allowed defenders to rapidly reconstruct the full attack timeline.
The payload specifically targets containerized AI coding environments by crawling mounted volumes like /mnt/user-data and exfiltrating data through the GitHub Contents API.
Automated reputation scoring alone cannot contain high-volume registry noise, necessitating a shift toward behavioral analysis and provenance validation at install time.
What to watch next
Platform-level adoption of behavioral analysis and provenance validation during package installation
Tracking metrics on AI-generated malware volume across npm, PyPI, and crates.io
Implementation of zero-default trust policies in corporate CI/CD pipelines
