A malware developer created an AI-coded malicious npm package called mouse5212-super-formatter, intended to steal files from Claude users. The package leaked its own GitHub private token, allowing researchers to trace the stolen files and analyse the malware—a self-own that underscores the risks of AI-generated malware without proper operational security.
What happened? On May 28, 2026, Ox Security researchers discovered an npm package that posed as an internal archive deployment sync utility but was actually an infostealer targeting Claude users. It reached 676 downloads before being taken down. The malware used a hard-coded GitHub private token to authenticate itself, and that same token was inadvertently exposed in the package’s own code, giving researchers direct access to the stolen files and the threat actor's account.
Overview and Current Relevance
The incident is a textbook case of AI-generated malware that fails at basic operational security. According to Ox Security’s report, the package mouse5212-super-formatter masqueraded as an “archive deployment sync utility.” In reality, it authenticated to GitHub using either an environment variable or, as a fallback, a hard-coded token. This token wasn’t a placeholder—it was a live, valid private token belonging to the developer’s own GitHub account.
The package then checked whether a target repository existed, created it if needed, and recursively walked a local directory uploading every file through the GitHub Contents API. Stolen files were stored under a random per-run folder name, and the malware wrote a fake network connections log to make “execution look like diagnostics rather than theft.” This level of deception suggests AI assistance, but the operational security failure is striking.
The Malware’s Mechanics
Breaking down the attack flow:
- Entity: The npm package (malicious infostealer). Mechanism: It used the GitHub Contents API to upload local files to a remote repo. Outcome: Data exfiltration without raising immediate alarms.
- Entity: Hard-coded GitHub token. Mechanism: The token was embedded in source code as a fallback. Outcome: Researchers extracted the token, traced the stolen files, and accessed the attacker’s GitHub account, linking them to the malware.
- Entity: Fake network log. Mechanism: The malware generated dummy connection records. Outcome: Any system administrator reviewing logs might dismiss the activity as routine diagnostics.
The use of a hard-coded token is a classic mistake—but one that reveals a deeper truth: the developer likely had limited understanding of secure credential management. The token was intended only as a fallback, yet its presence in the distributed package turned the malware into a self-incriminating document.
Token hardcoded. Package uploaded. Self-own complete. That’s the sequence in 11 words.
The Self-Own: Leaked Token
Ox Security’s researchers discovered the token by analyzing the package’s source code. Once they had the token, they could trace the stolen files and analyse the full scope of the malware. The threat actor’s GitHub account linked to the package has since been deleted.
The irony is thick: AI generated the malware, but AI didn’t teach the developer to rotate tokens or use environment variables securely. This is not a case of leading-edge AI sophistication—it’s a case of low-effort automation without understanding. The researchers labeled the malware type as “Infostealer/Malware-Slop” in their chart. Hard to argue with that.
Hard-Stop Verdict: The token leak wasn’t an accident—it was the logical consequence of using AI to write security-sensitive code without manual review.
[Ad break 2 – suitable for in-content ad]
AI Coding Involvement: Evidence and Inference
Ox Security suspects AI generation based on the nature of the opsec failure and code patterns. Provided evidence: The researchers specifically raised suspicions of AI coding involvement after tracing the leaked token and analysing the package structure. Documented synthesis: Ox Security categorized the malware as “Infostealer/Malware-Slop,” a label that points to the sloppy, automated quality of the code. Reasoned inference (mark as inference): The developer may have instructed an AI to write an npm package that archives files to a remote Git repo without specifying secure authentication, and the AI included a hard-coded token as a fallback because that is a common pattern in training data. The developer then shipped it without review.
This is not a knock on AI coding in general—it’s a warning that automated code generation amplifies human blind spots. When a developer doesn’t understand the output, they cannot evaluate its security implications.
Implications for Cybersecurity
Three lessons from this incident:
- AI-generated malware is real but flawed. Threat actors are leveraging AI to generate malware without understanding basic opsec concepts and best practices, as Ox Security noted. However, the results often contain embedded secrets or logic errors that work in defenders’ favor.
- Hard-coded secrets remain a critical opsec failure. Even attackers leveraging new tools slip up on fundamentals. AI made it easier to produce a functional package while the human omitted the safeguard step of removing embedded credentials.
- Defenders can exploit these failures. By scanning npm registries for packages containing embedded tokens, researchers can proactively identify malicious uploads. In this case, the token was the giveaway that allowed researchers to trace stolen files.
676 downloads. That’s the reach. But the package is gone now, and the developer’s GitHub account has been deleted.
What This Means for Developers and Researchers
Practical tips (adapted to cybersecurity context):
- Always scan third-party npm packages for hard-coded secrets before use.
- Be skeptical of packages that claim to be internal tools but have obscure names (e.g., “super-formatter”).
- If you use AI to generate code, review authentication, credential handling, and error paths manually. The AI won’t tell you it embedded a valid token.
- Monitor your own GitHub tokens for unexpected use. The stolen token would have appeared in access logs if the victim had auditing enabled.
Let’s be blunt: if you’re going to write malware, at least don't leave your house key in the door. AI didn’t force the developer to ship a live token—that was a choice.
FAQ
How many people downloaded the malicious package?
676 downloads before it was removed, according to Ox Security.
How did researchers discover the GitHub token?
The token was hard-coded in the package’s source code as a fallback authentication method. Researchers analysed the code and found the exposed token.
Was AI definitely used to write this malware?
Not proven beyond doubt, but the leaked token and code patterns raised Ox Security’s suspicions of AI coding involvement. The researchers labeled it "Infostealer/Malware-Slop."
What was the token used for?
To authenticate to the GitHub API and upload stolen files to a repository owned by the attacker.
Is the attacker still active?
The GitHub account linked to the package has been deleted. It is unclear if the attacker has other aliases.
Sources: Ox Security research report, PC Gamer (May 28, 2026), The Register. No firsthand tests or benchmarks were performed; all claims are based on published documentation.
