Executive Summary
In May 2026, cybersecurity researchers identified a malicious npm package named "mouse5212-super-formatter" designed to exfiltrate files from the "/mnt/user-data" directory utilized by Anthropic's Claude AI tool. The package masqueraded as an internal utility, performing unauthorized synchronization of local workspace files to a remote repository. This supply chain attack underscores the vulnerabilities inherent in open-source ecosystems, where malicious actors can exploit package repositories to distribute harmful code. The incident highlights the critical need for robust security measures in software development pipelines to prevent unauthorized data access and exfiltration.
Why This Matters Now
The increasing frequency of supply chain attacks targeting open-source repositories like npm poses significant risks to software integrity and data security. Organizations must prioritize the implementation of stringent security protocols to safeguard against such threats.
Attack Path Analysis
The attacker introduced a malicious npm package, 'mouse5212-super-formatter', to the registry, leading to its installation in development environments. Upon installation, the package executed a script that authenticated to GitHub, created a repository, and uploaded files from the '/mnt/user-data' directory. This resulted in unauthorized exfiltration of sensitive data to a threat actor-controlled GitHub account.
Kill Chain Progression
Initial Compromise
Description
The attacker published the malicious 'mouse5212-super-formatter' package to the npm registry, which was subsequently installed by developers.
MITRE ATT&CK® Techniques
User Execution: Malicious Library
Application Layer Protocol: Web Protocols
Archive Collected Data: Archive via Utility
Exfiltration Over C2 Channel
Command and Scripting Interpreter: JavaScript
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply-chain attacks targeting npm packages create critical risks for development workflows, requiring enhanced egress security and zero trust segmentation for CI/CD pipelines.
Information Technology/IT
Malicious npm packages compromise development environments and AI tools, necessitating multicloud visibility, threat detection, and secure hybrid connectivity for client infrastructures.
Computer/Network Security
Supply-chain vulnerabilities in developer tools expose security firms to data exfiltration risks, demanding inline IPS, cloud firewall controls, and cloud-native security fabric implementations.
Financial Services
AI tool compromises through supply-chain attacks threaten PCI compliance and sensitive data, requiring encrypted traffic controls and comprehensive egress policy enforcement mechanisms.
Sources
- Malicious npm Package Stole Files From Claude AI User Directory via GitHubhttps://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.htmlVerified
- User identity and local data - Claude.ai Documentationhttps://claude.com/docs/cowork/3p/data-storageVerified
- Claude AI APIs Can Be Abused for Data Exfiltrationhttps://www.securityweek.com/claude-ai-apis-can-be-abused-for-data-exfiltration/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely limit the malicious package's ability to execute unauthorized scripts during installation, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely constrain the script's ability to access and misuse GitHub credentials, thereby limiting unauthorized actions.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely limit the script's ability to access and transfer data from the '/mnt/user-data' directory, reducing lateral movement.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely detect and limit unauthorized connections to external repositories, reducing command and control capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit unauthorized data transfers to external repositories, reducing data exfiltration risks.
The CNSF would likely reduce the overall impact by limiting the attacker's ability to access and exfiltrate sensitive data, thereby minimizing potential information disclosure and compliance violations.
Impact at a Glance
Affected Business Functions
- AI Development
- Data Analysis
- Software Development
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data stored in the /mnt/user-data directory of Claude AI, including personal files and proprietary information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement supply chain security measures to detect and prevent the inclusion of malicious dependencies in development environments.
- • Enforce strict access controls and monitor the use of GitHub access tokens to prevent unauthorized repository creation and data exfiltration.
- • Utilize anomaly detection systems to identify unusual data access patterns, such as unauthorized access to the '/mnt/user-data' directory.
- • Apply egress security policies to monitor and control outbound connections to external repositories, preventing unauthorized data transfers.
- • Conduct regular audits of installed packages and dependencies to identify and remove any that are not explicitly approved or are no longer maintained.
