Malicious npm Package Stole Files From Claude AI User Directory via GitHub

## Executive summary Cybersecurity researchers identified a malicious npm package named "mouse5212-super-formatter" (Malware-Slop) that masquerades as an internal sync utility but exfiltrates files from Anthropic Claude's /mnt/user-data directory by authenticating to GitHub (via environment or hard-coded tokens), creating repositories when needed, and uploading collected files to attacker-controlled accounts; the package remains available on npm and was downloaded approximately 676 times.