Malicious npm package 'mouse5212-super-formatter' targets Claude users via supply-chain attack

Security researchers disclosed on May 30 a malicious npm package, 'mouse5212-super-formatter,' that masqueraded as an archive utility but exfiltrated files from the Anthropic Claude AI user directory to an attacker-controlled GitHub repository during the postinstall lifecycle hook. The package targeted Claude Code workspaces specifically — a notable evolution in supply-chain attacks, which now follow the developer tools developers actually use.

Mechanically, the exploit ran during npm install (no explicit user action required beyond the install itself), enumerated the Claude config and workspace directories, and pushed contents to a GitHub destination the attacker controlled. Because Claude Code workspaces frequently hold project source, environment files, and conversation history, the exfiltration surface is meaningful — potentially including API keys, customer data in prompts, and proprietary code.

Context: this is the most pointed recent example of AI dev workflows becoming a named target for supply-chain attackers. It arrives the same week Anthropic disclosed patching 2,100 vulnerabilities using an internal AI security tool, and the same week OpenAI published cybersecurity governance guidance — highlighting the divergence between policy-led (OpenAI) and tooling-led (Anthropic) approaches. A separate practitioner write-up testing OWASP LLM01 prompt-injection defenses reported that four of the top five defenses failed in 2026 conditions, reinforcing that AI-system security is regressing as attackers iterate faster than defenses.

For Claude Code users, immediate hygiene: audit recent npm installs, rotate any API keys that may have been in the workspace, and pin dependencies. Watch next: whether npm registry policy adapts (postinstall hooks remain a perennial security weak point), and whether Anthropic ships in-product workspace isolation given how attractive the Claude config directory has become as a target.